WILI-S 5.26 Reference Manual
From wiliGear wiki
WILI-S Configuration File
 | The keys of the configuration file in this manual are provided for WILI-S 5.00 firmware version and later therefore they may differ from the keys of 3.54 firmware and former versions. |
The WILI configuration file is a text file consisting of <key>=<value> assignments, one assignment per line. Modified configuration will become active after device reboot. The keys are case sensitive. Whitespace around keys and values is insignificant and it will be removed automatically after reboot. If duplicate keys are found, the first one is left and all the others are removed irrespective of the value assigned to those keys.
If the first character after whitespace on line is a "#" character, text between that character and the end of the same line is a comment. Comment lines and blank lines are ignored and may be added to make the file easier to read.
Example:
# this line is a comment netconf.1.devname=ixp1 netconf.1.ip=192.168.2.5 netconf.1.netmask=255.255.255.0
In the example above keys have index “1” and describe the settings of ixp1 interface. The index indicates functionally similar items and it will be specified as <index> in the configuration file descriptions, eg., netconf.<index>.devname, netconf.<index>.ip, netconf.<index>.netmask.
The configuration file location on local WILI file system is /tmp/system.cfg. The configuration file can be changed or a new file can be uploaded using Web interface. It is also possible to manually update device configuration. Follow these steps:
- make sure that SSH server is running (see section SSH Server below for details)
- login to device with secure SFTP client
- upload new configuration file to /tmp/system.cfg
- login through SSH, type shell command to exit to shell (see document CLI Access)
- execute sysconf –w
- reboot the device.
Some keys can have default values, others can be unused or have to be explicitly specified for some feature to work correctly. These keys and their values will be printed through local syslog facility to a system log file. The system log file on WILI is /var/log/messages. Logging can be redirected to a remote host (see section Syslog Configuration).
Example: An excerpt from default system log file:
Jan 1 00:00:06 sysconf[89]: Using default value: 'disabled' for non existing bool key: 'aaa.nas.1.verbose' Jan 1 00:00:06 sysconf[89]: Unused key: netconf.1.type=Ethernet
Network Configuration
This section describes settings of physical and logical network interfaces. This includes physical LAN and WAN interface settings, DNS settings, DHCP settings, AAA settings, tunnels and wireless interface settings.
Interface
The physical network interfaces can be configured to work as either local area network (LAN) or wide area network (WAN) interfaces. LAN is used to connect hubs, switches, Access Points and other devices on a subscriber side, while the WAN port connects to the Internet service provider’s (ISP) network.
All available keys of the network interface configuration are listed below:
netconf.status – specify the interface configuration feature status [enabled/disabled]. In general this key should always be specified and set to enabled.
netconf.<index>.status – specify current network interface status [enabled/disabled].
netconf.<index>.devname – specify the interface name [lo/ixp0/ixp1/ath0/logical interface name]. The physical interface names are:
- lo – local loopback interface
- ixp0 – LAN interface
- ixp1 – WAN interface
- ath0 – wireless interface
Logical interface names will be described in the following sections.
netconf.<index>.type – specify the interface type [loopback/wireless/ethernet/bridge/gre].
netconf.<index>.mode – specify the interface mode [lan/wan].
netconf.<index>.up – specify the interface status [enabled/disabled]. This value causes the interface to be activated, or the driver for this interface to be shut down.
netconf.<index>.ip – specify the interface IP address, eg. 192.168.5.1.
netconf.<index>.netmask – specify the interface subnet mask, eg. 192.168.5.0.
netconf.<index>.broadcast – specify the interface broadcast IP address, eg. 192.168.5.255.
netconf.<index>.alias.status – specify the interface alias functionality status [enabled/disabled]. This enables/disables all interface aliases. Default: disabled.
netconf.<index>.alias.<index>.status – specify current alias status [enabled/disabled].
netconf.<index>.alias.<index>.ip – specify the IP address for the interface alias. This key may be used as aliased IP range start, used together with netconf.<index>.alias.<index>.ip_range_end key.
netconf.<index>.alias.<index>.ip_range_end – specify the aliased IP range end. This key is used with netconf.<index>.alias.<index>.ip which means the aliased IP range start.
netconf.<index>.alias.<index>.netmask – specify the subnet mask for the interface alias, eg. 192.168.6.0.
netconf.<index>.alias.<index>.broadcast – specify the broadcast IP address for the interface alias, eg. 192.168.6.255.
netconf.<index>.mcast.status – specify the multicast address status [enabled/disabled]. Default: disabled. The multicast keys are used to attach a static link layer multicast address to listen on the interface. They only manage link layer addresses.
netconf.<index>.mcast.<index>.lladdress – specify the multicast link layer address.
netconf.<index>.mcast.<index>.address – specify the multicast IPv4 address, will be remapped by plugin to link layer.
netconf.2.mcast.status=enabled netconf.2.mcast.1.address=01:00:5e:00:00:0a netconf.2.mcast.1.address=224.192.16.1
netconf.<index>.allmulti - specify the status of all-multicast mode [enabled(default)|disabled]. default: disabled. If enabled, all multicast packets on the network will be received by the interface.
netconf.<index>.mac – specify the interface MAC address [colon separated 6 hexadecimal value pairs, eg. 03:FA:45:10:BA:44].
netconf.<index>.promisc – specify the promiscuous mode status [enabled/disabled]. If enabled, all packets on the network will be received by this interface.
netconf.<index>.mtu – specify the MTU size in B [integer]. Default: 1500. MTU is the largest physical packet size, measured in bytes, that a network can transmit. Any messages larger than the MTU are divided into smaller packets before being sent.
The following keys autoneg, advertise, speed and duplex in netconf.* section applies to Ethernet devices only. These keys allows you to control at what speed and duplexity device Ethernet is allowed to be connected in the network.
netconf.<index>.autoneg – specify status of auto negotiating [enabled/disabled]. Default: enabled.
netconf.<index>.advertise – specify advertise [auto/number]. Default: auto. This key is usable when autoneg key is enabled.
- 0x001 – 10baseT-HD'
- 0x002 – 10baseT-FD'
- 0x003 – 10baseT'
- 0x004 – 100baseTx-HD'
- 0x008 – 100baseTx-FD'
- 0x00C – 100baseTx'
- 0x010 – 1000baseTx-HD'
- 0x020 – 1000baseTx-FD'
- 0x030 – 1000baseTx'
- 0x03F – auto (combination of all above)
netconf.<index>.speed – specify Ethernet link speed between switch and WILI device in Mbps [10/100/1000].
netconf.<index>.duplex – specify duplexity of the Ethernet link [half/full].
Example 1:
netconf.1.autoneg = disabled netconf.1.advertise = auto netconf.1.speed = 10 netconf.1.duplex = half
Ethernet is allowed to connected at fixed 10Mbps speed, duplex will be set to half. The advertise makes no sense when auto negotiation (autoneg key) is disabled.
Example 2:
netconf.1.autoneg = enabled netconf.1.advertise = auto netconf.1.speed = 10 netconf.1.duplex = half
Ethernet is allowed to negotiate best speed and duplexity. Parameters speed and duplex will be ignored when autoneg is enabled. It is up to Ethernet driver to decide which exactly speed , duplexity must be used, according advertise
- 10baseT/Half
- 10baseT/Full
- 100baseT/Half
- 100baseT/Full
Speed and duplexity chosen depends on link partner capabilities in this case.
Example:
netconf.1.devname=ixp1 netconf.1.netmask=255.255.255.0 netconf.1.ip=192.168.2.220 netconf.1.up=enabled netconf.1.mode=wan netconf.1.type=Ethernet netconf.1.promisc=disabled netconf.1.alias.status=enabled netconf.1.alias.1.status=enabled netconf.1.alias.1.ip=192.168.2.16 netconf.1.alias.2.status=enabled netconf.1.alias.2.ip=192.168.2.17 netconf.1.alias.3.status=enabled netconf.1.alias.3.ip=192.168.2.200 netconf.1.alias.3.ip_range_end=192.168.2.210
The configuration in example means, that there will ixp1 interface configured to have 192.168.2.220 as a primary IP address on interface, netmask is set 255.255.255.0, default gateway 192.168.2.1, interface is up. Also, see alias, this tells to configure ixp1 to have such ip addresses as well (aliased IP addresses):
- 192.168.2.16
- 192.168.2.17
- 192.168.2.200-192.168.2.210, range starting 200 and ending 210 (11 IP addresses)
Alias IP addresses are added with 32 bit netmask(255.255.255.255). It is user's responsibility to define routes for these addresses in configuration file.
The Bridge
A bridge transparently relays traffic between multiple network interfaces. Bridge is identified by a custom interface name. It is basically a container for other interfaces.
There are some restrictions for bridge management that shall be taken into account:
- It is not possible to add a device to multiple bridges.
- VLANs cannot be created on bridge interfaces they can only be added to them.
- A bridge cannot be included into another bridge.
All available keys of the bridge configuration are listed below:
bridge.status – specify the bridge feature status [enabled/disabled]. Default: disabled.
bridge.<index>.status – specify current entry status [enabled/disabled]. Default: enabled.
bridge.<index>.devname – specify the bridge interface name [custom string up to 15 characters in length, eg. br0, mandatory].
bridge.<index>.stp.status – define the STP (Spanning Tree Protocol) status [enabled/disabled]. Default: disabled.
If you are running multiple or redundant bridges, then you need to enable the Spanning Tree Protocol (STP) to optimize multiple hops and avoid bridging loops. Normally redundant bridges would result in duplicated packets which would saturate the connected networks. Bridges configured to use STP negotiate the shortest possible link between the connected networks and disable all other possible links. If a link fails STP recalculates the links and can enable a workaround for the failed link. For the bridge to take part in this negotiation, the STP must be enabled. It is disabled by default when creating the bridge.
Each bridge has a relative priority and cost. Each interface is associated with a port (number) in the STP code. The priority and cost are used to decide which is the shortest path to forward a packet. The lowest cost path is always used unless the other path is down. If you have multiple bridges and interfaces you may need to adjust the priorities to achieve optimum performance.
| | If your bridge is not the only bridge on the LAN, or if there are loops in the LAN topology, STP is strongly recommended. |
The STP protocol first elects a root bridge. The root bridge is the bridge with the lowest priority in the network. If several bridges have the same priority assigned the bridge with the lowest MAC address is chosen. The root bridge is the "central" bridge in the spanning tree.
| | It is recommended not to use more than one VLAN or VSSID in the bridge, otherwise in some network topologies (using switches) the bridge may not work as expected. |
bridge.<index>.priority – specify the bridge priority [0-65535]. Default: 32768.
bridge.<index>.fd – specify the forwarding delay time [0-65535]. Forwarding delay time is the time spent in each of the listening and learning states before the forwarding state is entered. Default: 15.
bridge.<index>.hello – specify the interval between hello packets in seconds [0-65535]. Hello packets are used to communicate information about the topology throughout the entire bridged LAN. Default: 2.
bridge.<index>.ageing – define the interface hardware (MAC) address ageing time, in seconds [0-65535]. The ageing time is the number of seconds a MAC address will be kept in the forwarding database after receiving a packet from this MAC address. The entries in the forwarding database are periodically timed out to ensure that old ones do not persist in the database. Default: 300.
bridge.<index>.maxage – specify the maximum bridge message age in seconds [0-65535]. If the last received hello packet is more than this value, the bridge in question will initiate the root bridge election procedure. Default: 20.
bridge.<index>.port.<index>.status – specify current bridge port status [enabled/disabled]. Default: disabled.
bridge.<index>.port.<index>.devname – specify the interface name to be added into bridge (physical interface, VLAN or GRE tunnel).
bridge.<index>.port.<index>.path.cost – specify the port’s path cost on this interface [0-65535]. This metric is used in the designated port and root port selection algorithms. Default: 100.
bridge.<index>.port.<index>.priority – specify the priority of ports with equal cost [0-255]. You can use this to control which port gets used when there are redundant paths. Default: 128.
bridge.arptables – if enabled it will pass bridged ARP traffic to arptables' FORWARD chain [enabled/disabled]. Default: enabled.
bridge.iptables – if enabled it will pass bridged IPv4 traffic to iptables' chains [enabled/disabled]. Default: enabled.
bridge.ip6tables – if enabled it will pass bridged IPv6 traffic to ip6tables' chains [enabled/disabled]. Default: enabled.
bridge.vlan – if enabled it will pass bridged vlan-tagged ARP/IP/IPv6 traffic to {arp,ip,ip6}tables [enabled/disabled]. Default: enabled.
Example:
# create bridge br0 with ixp0 and ath0 interfaces bridge.status=enabled bridge.1.status=enabled bridge.1.ageing=300 bridge.1.devname=br0 bridge.1.fd=1 bridge.1.hello=20 bridge.1.maxage=300 bridge.1.port.1.status=enabled bridge.1.port.1.devname=ixp0 bridge.1.port.2.status=enabled bridge.1.port.2.devname=ath0 bridge.1.priority=2 bridge.1.stp.status=disabled
DHCP
The WILI device can act as DHCP (Dynamic Host Configuration Protocol) client, DHCP server and/or as a DHCP relay gateway. The DHCP service is supported on both physical and logical interfaces.
DHCP Client
Configured DHCP client will try to get an IP lease immediately on WILI startup.
All available keys of the DHCP client are listed below:
dhcpc.status – specify the service status [enabled/disabled]. Default: disabled.
dhcpc.background – allows to enable the device not to wait for IP address and start a boot process [enabled/disabled]. Default: disabled.
| | In case the key dhcpc.background is enabled and the device starts the boot process without IP address, the following services will not be started:
|
dhcpc.<index>.status – specify the DHCP client status [enabled/disabled]. Default: enabled.
dhcpc.<index>.devname – specify the interface on which you want to enable the DHCP client.
Example:
# enable DHCP client on ixp1 interface dhcpc.status=enabled dhcpc.background=disabled dhcpc.1.status=enabled dhcpc.1.devname=ixp1
DHCP Server
The DHCP server assigns clients on the LAN dynamic IP addresses. The server is supported on physical and logical LAN interfaces. Each LAN interface runs a separate DHCP server instance.
All available keys of the DHCP server are listed below:
dhcpd.status – specify the feature status [enabled/disabled]. Default: disabled.
dhcpd.<index>.status – specify the DHCP server status [enabled/disabled]. Default: enabled.
dhcpd.<index>.devname – specify the name of interface on which you want to configure the DHCP service [interface name, mandatory].
dhcpd.<index>.start – specify the starting IP address of the DHCP address pool [IP address, mandatory].
dhcpd.<index>.end – specify the ending IP address of DHCP address pool [IP address, mandatory].
dhcpd.<index>.gateway – specify the gateway IP address.
dhcpd.<index>.netmask – specify the netmask.
dhcpd.<index>.dns.1.status – specify the primary DNS server status [enabled/disabled]. Default: enabled.
dhcpd.<index>.dns.1.server – specify the primary DNS server IP address.
dhcpd.<index>.dns.2.status – specify the secondary DNS server status [enabled/disabled]. Default: enabled.
dhcpd.<index>.dns.2.server – specify the secondary DNS server IP address.
dhcpd.<index>.lease_time – specify the IP address lease interval in seconds [1-4294967295]. Default: 864000.
dhcpd.<index>.wins – specify WINS server IP address.
dhcpd.<index>.domain – specify the DHCP domain name [1-128 character string].
Example:
# configure the DHCP server: dhcpd.status = enabled dhcpd.1.devname = ixp1 dhcpd.1.start = 192.168.4.2 dhcpd.1.end = 192.168.4.254 dhcpd.1.gateway = 192.168.4.1 dhcpd.1.netmask = 255.255.255.0 dhcpd.1.dns.1.server = 212.59.0.1 dhcpd.1.lease_time = 10000
DHCP Relay
The DHCP relay forwards DHCP messages between subnets with different sublayer broadcast domains.
In public access or large-scale enterprise wireless networks where two or more gateways (APs/NASs) may be used to connect wireless clients to LAN there is a need to have one centralized DHCP server. DHCP server may be used to serve IP addresses, DNS server addresses and other relevant information for large LAN based network and/or for NAT'ing to allow clients to reach Internet. One or more APs may be used as relays to pass DHCP requests to the central DHCP server and send DHCP server responses back to clients.
 | DHCP relay won’t work if there is a DHCP server or client started on the same LAN interface. |
| | Depending on your network configuration, you may need to add firewall rules to allow clients unrestricted access to DHCP service ports on DHCP servers. This is needed because after negotiating a DHCP lease, a client talks to DHCP server directly and not through DHCP relay. See section IP Firewall Configuration for details. |
The available keys of the DHCP Relay feature are listed below:
dhcp-fwd.status – specify the DHCP relay service status [enabled/disabled]. Default: disabled
dhcp-fwd.server.<index>.status – specify current service status [enabled/disabled]. Default: enabled.
dhcp-fwd.server.<index>.devname – specify the WAN interface name through which the DHCP server could be reached [string, interface name].
dhcp-fwd.server.<index>.ip – specify the DHCP server IP address [IP address or string “bcast”]. Specifying “bcast” allows broadcasting DHCP request on WAN when no unicast server address is known.
dhcp-fwd.client.<index>.status – specify the status of client interface [enabled/disabled]. Default: enabled.
dhcp-fwd.client.<index>.devname – specify the client interface name. This parameter defines a LAN interface where DHCP clients reside. A few interfaces may be defined.
dhcp-fwd.client.<index>.circuit_id – specify the client circuit id [string]. Every client interface (LAN) may have their unique identifier. As the circuit id could be used NAS-ID, NAS-MAC or NAS-IP. Refer to section AAA Configuration for details about NAS settings. The DHCP servers can provide IP addresses from different address pools depending on a circuit id. Please refer to RFC 3046 for details.
Example 1:
# simple configuration with one client interface (LAN) and one server # interface (WAN): dhcp-fwd.status=enabled dhcp-fwd.server.1.status=enabled dhcp-fwd.server.1.devname=ixp1 dhcp-fwd.server.1.ip=bcast dhcp-fwd.client.1.status=enabled dhcp-fwd.client.1.devname=ath0
Example 2:
# configuration to show all the possible features: dhcp-fwd.status=enabled dhcp-fwd.server.1.status=enabled dhcp-fwd.server.1.devname=ixp1 dhcp-fwd.server.1.ip=192.168.2.125 dhcp-fwd.server.2.status=enabled dhcp-fwd.server.2.devname=ixp2 dhcp-fwd.server.2.ip=bcast dhcp-fwd.client.1.status=enabled dhcp-fwd.client.1.devname=ath0 dhcp-fwd.client.1.circuit_id=MY_NAS_ID_1 dhcp-fwd.client.2.status=enabled dhcp-fwd.client.2.devname=ixp0 dhcp-fwd.client.2.circuit_id=MY_NAS_ID_2
| | To successfully setup DHCP relay on a router it is necessary to make DHCP Server possible of reaching addresses which are sent in 'giaddr' (Relay agent IP address) field of DHCP packets. This allows routing server to reply back to clients through gateway which is of course DHCP relay as well. |
E.g, on DHCP server machine:
route add -net <client_subnet> netmask <client_netmask> gw <relay_ip>
| | On a router with AAA enabled a firewall rule is necessary which allows clients to send/receive DHCP packets unrestricted. This is needed because after negotiating a lease from a DHCP client talks to DHCP server directly and not through DHCP relay. |
DNS
| | Maximum 3 name servers and 6 domain search entries can be specified. |
Setup the DNS (Domain Name Service) service that translates Internet host names into their IP addresses.
All available keys of the DNS configuration are listed below:
resolv.status – specify the DNS status [enabled/disabled].
resolv.nameserver.<index>.status – specify current DNS server status [enabled/disabled]. Default: enabled.
resolv.nameserver.<index>.ip – specify the IP address of the DNS server [IP address, mandatory].
resolv.search.<index>.status – specify the status [enabled/disabled]. Default: enabled.
resolv.search.<index>.domain – specify the domain name to use for DNS lookups when no domain is specified [domain name, eg. mycompany.net]. Specified domains will be checked in turn until a match is found.
resolv.host.<index>.status – specify current host entry status [enabled/disabled]. Default: enabled.
resolv.host.<index>.ip – specify the IP address of the hostname [IP address, mandatory].
resolv.host.<index>.name – specify the canonical hostname [hostname string, mandatory].
resolv.host.<index>.alias.<index>.status – specify the parameter status [enabled/disabled]. Default: enabled.
resolv.host.<index>.alias.<index>.name – specify the alias [hostname string]. Aliases are used for name changes, alternate spellings, shorter hostnames, or generic hostnames (eg., localhost).
Example:
resolv.status=enabled resolv.nameserver.1.ip=204.74.112.1 resolv.nameserver.2.ip=204.74.112.2 resolv.search.1.domain=domain1.net resolv.search.2.domain=domain2.net resolv.host.1.ip=127.0.0.1 resolv.host.1.name=host.domain1.net resolv.host.1.alias.1.name=fireball resolv.host.1.alias.2.name=localhost.localdomain resolv.host.1.alias.3.name=localhost
DNS Forwarder
DNS request forwarder, called DNSMASQ, intercepts all DNS requests from wireless/LAN clients and forwards them to a particular DNS server(s) which may be defined in the system configuration file or dynamically obtained through DHCP lease (forwarder will check for changes to system’s DNS settings on every DNS request). Forwarder has a cache which speeds up DNS requests and reduces network traffic. It listens on the standard DNS TCP and UDP ports 53 on interfaces specified in the configuration file. Two firewall rules are required for forwarder to function correctly.
The available keys of the DNS forwarder feature are listed below:
dnsmasq.status – specify the DNSMASQ feature status [enabled/disabled].
dnsmasq.<index>.status – specify current DNSMASQ entry status [enabled/disabled].
dnsmasq.<index>.devname – specify the input interface name.
The example below shows setup of the firewall configuration specific to DNSMASQ. Refer to section IP Firewall Configuration for further firewall configuration details.
Example:
# configure DNSMASQ on ath0 interface # first configure redirection of DNS ports firewall.status=enabled firewall.rule.1.table=nat firewall.rule.1.chain=PREROUTING firewall.rule.1.protocol=TCP firewall.rule.1.in=ath0 firewall.rule.1.dport=53 firewall.rule.1.target=REDIRECT firewall.rule.2.table=nat firewall.rule.2.chain=PREROUTING firewall.rule.2.protocol=UDP firewall.rule.2.in=ath0 firewall.rule.2.dport=53 firewall.rule.2.target=REDIRECT # enable DNSMASQ on ath0 dnsmasq.status=enabled dnsmasq.1.devname=ath0
Dynamic DNS
The DNS client maintains the IP address of a host name. It periodically checks whether the IP address of the current machine (the external visible IP address of the machine that runs INADYN) has changed. If yes it performs an update in the dynamic dns server.
Following configuration keys are used by inadyn:
inadyn.status – specify status of dynamic DNS [enabled/disabled]. Default: disabled.
inadyn.username – specify the username [string].
inadyn.password – specify the password [password].
inadyn.alias.<index>.value – specify the host name alias, for example system.dyndns.org [string].
inadyn.update_period – specify the update period in seconds, max is 10 days = 10 * 24 * 3600 [integer]. Default 60 sec.
inadyn.system – specify the DYNDNS service type [string]. Default: dyndns@dyndns.org. Possible service types are:
- for dyndns.org: dyndns@dyndns.org OR statdns@dyndns.org OR customdns@dyndns.org
- for freedns.afraid.org: default@freedns.afraid.org
- for zoneedit.com: default@zoneedit.com
- for no-ip.com: default@no-ip.com
- for easydns.com: default@easydns.com
- for 3322.org: dyndns@3322.org
Example:
inadyn.status=enabled inadyn.username=myusername inadyn.password=mypassword inadyn.update_period=180 inadyn.system=dyndns@dyndns.org inadyn.alias.1.value=3gear.dyndns.org
For this example inadyn sysconf plugin will generate /etc/inadyn.conf file containing:
username myusername password mypassword alias 3gear.dyndns.org update_period_sec 180 dyndns_system dyndns@dyndns.org syslog
VLAN
| | Up to 4094 VLANs can be created on the system. |
Virtual Local Area Networks (VLANs) are logical groupings of network resources, eg. public access users can be separated from company Intranet users using VLANs on the ethernet interface. Access control policies can be applied on a per-VLAN basis. VLANs are uniquely identified by VLAN id number. Setting up VLAN on physical interface will create virtual network interface named like physical interface with dot and VLAN id appended, eg. setting VLAN with id 10 on interface ixp0 will create virtual interface called ixp0.10.
All available keys for VLAN configuration are listed below:
vlan.status – specify the VLAN feature status [enabled/disabled]. Default: disabled.
vlan.<index>.status – specify the VLAN status [enabled/disabled]. Default: enabled.
vlan.<index>.parent – specify the LAN interface name to make VLAN on.
vlan.<index>.id – assign ID for your VLAN network [2-4095]. Devices configured with the same ID (eg. access points) are logically grouped into this VLAN.
Per-VLAN QoS offers differentiated quality of services to individual VLANs on a trunk port. A per-VLAN service policy can be separately applied to either ingress or egress traffic.
vlan.<index>.priority_in – specify either manual or auto mappings for ingress packets will be set [auto/manual]. Default: manual.
vlan.<index>.priority_out – specify either manual or auto mappings for egress packets will be set [auto/manual] Default: manual.
The ingress mapping - maps VLAN QoS field (3bits) to local packet priority field (32bits).
vlan.<index>.prio_in_map.<index>.vlan_qos – specify the ingress VLAN priority in bits [0..7].
vlan.<index>.prio_in_map.<index>.pkt_prio – specify the ingress packet priority in bits [0..0x7fffffff].
The egress mapping - maps local packet priority field to VLAN QoS field:
vlan.<index>.prio_out_map.<index>.vlan_qos – specify the egress VLAN priority in bits [0..7].
vlan.<index>.prio_out_map.<index>.pkt_prio – specify the egress packet priority in bits [0..0x7fffffff].
If vlan.<index>.priority_in/out=manual, user configured mappings for ingress/regress packets will be set. If no mapping found, will map to 0 (same as default without any mappings); if vlan.<index>.priority_in =auto, 0:0, 1:1,..7:7 mappings will be generated.
Example:
# configure VLAN id 10 on ixp0 vlan.status=enabled vlan.1.parent=ixp0 vlan.1.id=10
Routing
This sysconf plugin manipulates the kernel's IP routing tables. Its primary use is to set up static routes to specific hosts or networks via an interface after it has been configured. That is IP address, netmask and broadcast addresses are assinged to an interface. Interfaces must be up, otherwise any attempt to install routing entries will be rejected by the kernel.
Kernel consults routing entries, when deciding which interface to use to dispatch the packet. Route entries are scanned using packet's destination IP address. If none matched, kernel dispatches packet through a default route (to a next known gateway which must be reachable and on the same LAN network as device). If routing decision is made based on source IP address that would be a source routing instead, read Source Routing section below.
Available Keys:
route.status - specify general status of routing service on a device [enabled/disabled]. Default: disabled.
route.ip_forward - specify IP Forwarding status [enabled/disabled]. If disabled, no routing or bridging will take place. Packet received on one interface will not be forwarded via another interface.
route.<index>.status - specify status of the particular routing entry [enabled/disabled]. Default: enabled. If enabled, the following routing entry will be installed in the routing stack, otherwise entry is omitted.
route.<index>.devname - specify interface name of an existing network interface on device [interface name].
route.<index>.gateway - specify gateway IP address [ip address]. This value is optional if gateway is not used. When specifying gateway prefer numeric IP address instead of FQDN (it is bad to assume that DNS service is configured correctly or interfaces are already configured and DNS server is reachable).
route.<index>.ip - specify Target IP address [ip address]. Ip address can be a network address or host ip address. The difference between two is that netmask length.
route.<index>.netmask - specify Target netmask in bits, e.g. 24 [netmask]. Optional if host route.
Example: creates the following routing entries : IP addresses 192.168.4.0/24 are reachable on interface ixp0 (LAN). IP addresses 192.168.2.0/24 are reachable on interface ixp1 (WAN). Creates a host route to 192.168.3.3 via 192.168.2.3 as a gateway. Adds '192.168.2.1' as a default gateway.
route.<index>.type - specify route type [unicast/local/broadcast/multicast/throw/unreachable/prohibit/blackhole].
- unicast - the route entry describes real paths to the destinations covered by the route prefix.
- unreachable - these destinations are unreachable. Packets are discarded and the ICMP message host unreachable is generated. The local senders get an EHOSTUNREACH error.
- blackhole - these destinations are unreachable. Packets are discarded silently. The local senders get an EINVAL error.
- prohibit - these destinations are unreachable. Packets are discarded and the ICMP message communication administratively prohibited is generated. The local senders get an EACCES error.
- local - the destinations are assigned to this host. The packets are looped back and delivered locally.
- broadcast - the destinations are broadcast addresses. The packets are sent as link broadcasts.
- throw - a special control route used together with policy rules. If such a route is selected, lookup in this table is terminated pretending that no route was found. Without policy rout‐ ing it is equivalent to the absence of the route in the routing table. The packets are dropped and the ICMP message net unreachable is generated. The local senders get an ENETUNREACH
- multicast - a special type used for multicast routing. It is not present in normal routing tables.
route.status = enabled route.ip_forward = enabled route.1.ip = 192.168.4.0 # network address route.1.netmask = 24 # 255.255.255.0 route.1.devname = ixp0 route.2.ip = 192.168.2.0 # network address route.2.netmask = 24 # 255.255.255.0 route.2.devname = ixp1 ... # disabled entry, host route tells the 192.168.3.3 is reacable via 192.168.2.3 gw route.12.status = disabled route.12.ip = 192.168.3.3 # host ip address route.12.netmask = 32 # or can be omitted entirely. route.12.gateway = 192.168.2.3 ... # default route : route.20.ip = 0.0.0.0 route.20.netmask = 0 route.20.devname = ixp1 route.20.gateway = 192.168.2.1
Static Source Routing
Classic routing algorithms used in the Internet make routing decisions based only on the destination address of packets (and in theory, but not in practice, on the TOS field).
In some circumstances we want to route packets differently depending not only on destination addresses, but also on other packet fields: source address, IP protocol, transport protocol ports or even packet payload. This task is called 'policy routing'.
To solve this task, the conventional destination based routing table, ordered according to the longest match rule, is replaced with a 'routing policy database' (or RPDB), which selects routes by executing some set of rules.
Each policy routing rule consists of a selector and an action predicate. The RPDB is scanned in the order of increasing priority. The selector of each rule is applied to {source address, destination address, incoming interface, tos, fwmark} and, if the selector matches the packet, the action is performed. The action predicate may return with success. In this case, it will either give a route or failure indication and the RPDB lookup is terminated. Otherwise, the RPDB program continues on the next rule.
Semantically, natural action is to select the nexthop and the output device.
At startup time the kernel configures the default RPDB consisting of three rules:
1. Priority: 0, Selector: match anything, Action: lookup routing table local (ID 255). The local table is a special routing table containing high priority control routes for local and broadcast addresses.
Rule 0 is special. It cannot be deleted or overridden.
2. Priority: 32766, Selector: match anything, Action: lookup routing table main (ID 254). The main table is the normal routing table containing all non-policy routes. This rule may be deleted and/or overridden with other ones by the administrator.
3. Priority: 32767, Selector: match anything, Action: lookup routing table default (ID 253). The default table is empty. It is reserved for some post-processing if no previous default rules selected the packet. This rule may also be deleted.
Each RPDB entry has additional attributes. F.e. each rule has a pointer to some routing table. NAT and masquerading rules have an attribute to select new IP address to translate/masquerade. Besides that, rules have some optional attributes, which routes have, namely realms. These values do not override those contained in the routing tables. They are only used if the route did not select any attributes.
Source Routing tables can be defined using the following keys:
route.table.<index>.status – specify the table entry status [enabled/disabled]. Default: enabled.
route.table.<index>.id – specify the table number [0-255]. The table numbers 0, 253-255 are reserved.
| | We strongly recommend not to use the reserved table numbers. In case of misuse, the device can become unreachable and therefore it will need to be reset to factory defaults. |
route.table.<index>.name – specify the table name [string without spaces].
Example:
route.table.1.id=101 route.table.1.name=wisp1 route.table.2.id=102 route.table.2.name=wisp2-noc route.table.3.id=103 route.table.3.name=wisp3 ...
These entries are transformed to file located at /etc/iproute2/rt_tables :
# # reserved values # 255 local 254 main 253 default 0 unspec # # local # 101 wisp1 102 wisp2-noc 103 wisp3
route.<index>.table – specify the table number or name [0-255 or string without spaces]. Reserved numbers are 255 - local table, 254 - main table, 253 default table and 0 for unspecified table. Please refrain from using these table numbers - unless you are sure what are you doing. As a result of missue device can become unreachable and therefore it will need to be reset to factory defaults in order to restore device. Alternatively route-table-name (and this is a prefered way) use the symbolic table name instead of number. As in example given above, specify wisp1 instead of 101 as a number.
Example: The same as above, only that routes are installed in particular routing table.
route.status = enabled route.ip_forward = true # network address route.1.ip = 192.168.4.0 # netmask: 255.255.255.0, 24 bits set to 1 route.1.netmask = 24 # install entry to table no. 101/ or name 'wisp1' route.1.devname = ixp0 route.1.table = wisp1 # alternatively: # route.1.table = 100 # disabled entry, host route tells the 192.168.3.3 is reacable via 192.168.2.3 gw route.12.status = disabled # host ip address route.12.ip = 192.168.3.3 # if netmask = 32 it can be omitted entirely. route.12.netmask = 32 route.12.gateway = 192.168.2.3 route.12.table = wisp1 ... # default route : route.20.ip = 0.0.0.0 route.20.netmask = 0 route.20.devname = ixp1 route.20.gateway = 192.168.4.1 route.20.table = wisp1 ...
By default, kernel looks up 'local' table first (for a local communications using IPv4 protocol stack). If packets destination/source ip address has no matches in the table, kernel routing stack proceeds with next table, main table. If not found, default table is looked up.
All the static source routing rules should be defined in Routing rules section or by using the key:
route.rule.<index>.status – specify the rule status [enabled/disabled]. Default: enabled.
route.rule.<index>.ip – specify the packet source IP address [IP address].
route.rule.<index>.netmask – specify the netmask length in bits [bitmask number, eg. 24].
route.rule.<index>.table – specify the existing table number or name for current rule [0-255 or string without spaces]. route.rule.<index>.fwmark - <number>
route.rule.<index>.prio – specify the rule priority [0-32767]. By default local table lookup priority is 0, main - 32766, and default - 32767. By default local table lookup priority is zero, main - 32766, and default - 32767, as shown in example below. Priority allows to control the performed matching order (priorities are testing starting lowest to the highest until match is found).
$ ip rule 0: from all lookup local 32766: from all lookup main 32767: from all lookup default
route.rule.<index>.ip≤address> and route.rule.<index>.netmask≤netmask> defines a packet source IP address, if matched to lookup table route.rule.<index>.prio≤number>.
For example:
# tells routing stack that 10.0.0.0/24 are reachable on ixp0 # and packets must be routed according routing entries in table 110 route.10.ip = 10.0.0.0 route.10.netmask = 24 route.10.devname = ixp0 route.10.table = 110 # add default route - to route via GRE tunnel route.11.ip = 0.0.0.0 route.11.netmask = 0 route.11.gateway = 192.168.8.2 route.11.devname = gre1 route.11.table = 110 ... route.rule.3.ip=10.0.0.0 route.rule.3.netmask=24 route.rule.3.table=110 route.rule.3.prio=20000
Results in something like this:
$ ip rule show 0: from all lookup local 20000: from 10.0.0.0/24 lookup 110 32766: from all lookup main 32767: from all lookup default $ ip route show table 110 10.0.0.0/24 dev ixp0 scope link default via 192.168.8.2 dev gre1
Whichs tells the kernel routing stack, route 10.0.0.0/24 IP addresses via table 110. If packet destination is any address in 10.0.0.0/24, send packet back on ixp0 (where 10.0.0.0/24 network resides), otherwise packet is sent via GRE tunnel. Note: without 10.0.0.0/24 dev ixp0 scope link route installed in table 110, all packets will be sent via GRE tunnel immediately ! (thus - it might happen so, that packet never reaches the destination !).
Sample Configuration
Example 1.
route.1.devname = ixp1 route.1.ip = 192.168.55.0 route.1.netmask = 24
Example 2.
LAN interface has IP addresses 192.168.55.0/24. There is a GRE tunnel, gre0001, with an IP address 10.0.0.2/24 set. The following rules creates routing setup in which 192.168.55.0/24 LAN stations are routed via GRE tunnel. # Creates route entries in the table. # ip route add $(route.%d.ip)/$route.%d.netmask \ # dev $(route.%d.interface) \ # table $(route.%d.table) # route.1.devname = ixp0 route.1.ip = 192.168.55.0 route.1.netmask = 24 route.1.table = 100 # # Creates a default route : # ip route add $(route.%d.ip)/$(route.%d.netmask) \ # via $(route.%d.gateway) \ # dev $(route.%d.interface) \ # table wisp1 # # Note: # 'wisp1' must be defined as: # route.table.1.id = 100 # route.table.1.name = wisp1 # # without these entries - source route will not be installed as # device doesn't know how to map wisp1 to a particular number (in # this case it is 100). # # route.2.devname = gre0001 route.2.ip = 0.0.0.0 route.2.netmask = 0 route.2.gateway = 10.0.0.2 # GRE tunnel ip address. route.2.table = wisp1 # # Makes a routing stack to use table 100 hen making decision how to route packet: # # ip rule add from $(route.rule.%d.ip)/$(route.rule.%d.netmask) \ # table $(route.rule.%d.table) \ # prio $(route.rule.%d.prio) # route.rule.1.ip = 192.168.55.0 route.rule.1.netmask = 24 route.rule.1.table = 100 route.rule.1.prio = 100
Example 3.
LAN interface has IP addresses 192.168.73.1/24. There is a GRE tunnel, netb, with an IP address 10.10.1.1/29 set. WAN interface has IP address 192.168.1.61/24. This interface is default gateway for users connected to LAN interface. Marked packets, goes to routing table 121 and are routed via GRE tunnel. The following rules creates routing setup in which all marked traffic from LAN stations are routed via GRE tunnel. # # Creates a default route: # # ip route add $(route.%d.ip)/$(route.%d.netmask) \ # via $(route.%d.gateway) \ # dev $(route.%d.interface) # route.1.devname=ixp1 route.1.gateway=192.168.1.10 route.1.ip=0.0.0.0 route.1.netmask=0 route.1.status=enabled # # Makes a routing stack to use table 121 when making decision how to route packet: # # ip rule add fwmark $(route.rule.%d.fwmark) \ # table $(route.rule.%d.table) # # Note: # 'marked_traffic' must be defined as: # route.table.1.status=enabled # route.table.1.id=121 # route.table.1.name=marked_traffic # # without these entries - source route will not be installed as # device doesn't know how to map marked_traffic to a particular number (in # this case it is 121). # route.rule.1.status=enabled route.rule.1.fwmark=100 route.rule.1.table=marked_traffic # # Creates route entries in the marked_traffic table. # # ip route add $(route.%d.ip)/$(route.%d.netmask) \ # via $(route.%d.gateway) \ # table $(route.%d.table) # route.2.status=enabled route.2.gateway=10.10.1.2 route.2.ip=0.0.0.0 route.2.netmask=0 route.2.table=121
Selective Source Routing
Selective Source Routing is referring to a dynamic routing capability. In particular, client station traffic will be routed according RADIUS authentication request response. The system routing mechanism works in the same manner as the static source routing, except the fact that the routing rules will be defined automatically during the authorization routines.
Each routing table is dedicated for separate tunnel (IPsec, GRE, VSSID or VLAN interface) while having the unique name, which is used as Tunnel-ID.
Selection of the route successful only if there exist Tunnel-ID which corresponds to the “Tunnel-Assignment-ID” attribute provided by RADIUS on Access-Accept.
| | The same Tunnel-Assignment-ID RADIUS attribute value should be used in all the RADIUS accounting requests if it was available in the RADIUS Access-Accept packet. |
In the provided example, the device should have configured tunnels while each of them should have assigned Tunnel-ID. If there is no existing tunnel with corresponding Tunnel-ID, the authentication will fail and client station will be denied any network access beyond the NAS device.
| | With source routing enabled, administrator must make sure that all source routing keys route.rule.<index>.prio values are in 10000-20000 range. The system authenticator will create dynamically source routes with priority in range 900-1000. |
If there will be few Tunnel-Assignment-ID alternatives matching available Tunnel-ID's on a device the first matching Assigned Tunnel ID will be selected with the lowest Tunnel-Preference RADIUS attribute value for the client source routing.
The default routing rules will be applied for the clients, which will get empty or no Tunnel-Assignment-ID on RADIUS Access-Accept packet.
Example 1:
Clients are coming on LAN interface, which has DHCP server configured to lease IP addresses in range 192.168.3.0/24. By default clients have 192.168.3.1 assigned as a default gateway. WAN interface ixp1 has 192.168.2.110 IP address. Also, there are a couple GRE tunnel devices configured on device configured like this:
# WISP#1, creates tunnel interface 'GRE1' tunnel.gre.1.status=enabled tunnel.gre.1.remote.ip=192.168.2.253 tunnel.gre.1.ttl=64 # WISP#2, creates tunnel interface 'GRE2' tunnel.gre.2.status=enabled tunnel.gre.2.remote.ip=192.168.2.252 tunnel.gre.2.ttl=64 #Configure GRE1 and GRE2 interfaces: # 192.168.2.110 (ixp1) <------ GRE tunnel ------> 192.168.2.252 (WISP#1-remote) -- / --- > (WISP#1 NOC) # 10.0.1.2 (gre1) <---------------> (greX 10.0.1.1) # so 192.168.3.x particular IP address is routed via 10.0.1.2 (which is default gateway in case of selective routing) # assign gre1 and gre2 ip addresses netconf.dev.1.name=gre1 netconf.dev.1.type=tunnel netconf.dev.1.mode=wan netconf.dev.1.state=up netconf.dev.1.ip=10.0.1.2 netconf.dev.1.netmask=255.255.255.0 netconf.dev.1.broadcast=10.0.1.255 netconf.dev.2.name=gre2 netconf.dev.2.type=tunnel netconf.dev.2.mode=wan netconf.dev.2.state=up netconf.dev.2.ip=10.0.2.2 netconf.dev.2.netmask=255.255.255.0 netconf.dev.2.broadcast=10.0.2.255
Install a default route in each source routing table. Use a GRE tunnel’s IP address as a default gateway (so that all traffic traversing these tables is routed through GRE tunnel). The system authenticator will create particular rules per IP address that depends on tunnel-id.
route.entry.1.enabled = true route.entry.1.ip = 0.0.0.0 route.entry.1.netmask = 0 route.entry.1.interface = gre1 route.entry.1.gateway = 10.0.1.2 #important! route.entry.1.table = 101 route.entry.2.enabled = true route.entry.2.ip = 0.0.0.0 route.entry.2.netmask = 0 route.entry.2.interface = gre2 route.entry.2.gateway = 10.0.2.2 #important! route.entry.2.table = 102 route.table.1.id=101 route.table.1.name=WISP1 route.table.1.id=102 route.table.1.name=WISP2
This creates GRE1 tunnel from 192.168.2.110 <-> 192.168.2.253 for a WISP1 clients traffic to transport. The same goes for GRE2 (192.168.2.110 <-> 192.168.2.252) for a WISP2 clients to transport. While client attempts to authenticate, RADIUS server reports tunnel-id "WISP1". Assuming that interface is present on device and configured properly, system authenticator adds the route on WISP1 table. When client is gone, system authenticator deletes the route automatically.
Example 2:
Enabled WAN interface gre0001 has Assigned Tunnel ID (table name) set to "WISP1". Other WAN's have empty Tunnel-ID. Assume that client has provided valid login credentials and RADIUS server is responding with Access-Accept.
Received RADIUS Access-Accept contains Tunnel-Assignment-ID:
- with value "WISP1" and client is successfully authenticated;
- source route for that client is created through routing table named "WISP1";
- all client traffic is routed through gre0001 interface using routing table "WISP1";
- RADIUS accounting packets for that client include Tunnel-Assignment-ID attribute which contains the same value as it was in the Access-Accept: "WISP1";
- after client session end source-route is removed;
- with value "BadWISP" and such routing table does not exist:
- client authorization is refused and no source route is set up;
- client session ends immediately.
Dynamic Routing
WILI-S software can be configured to use Quagga routing suite.
zebra.status - enable the Quagga daemon zebra [enabled/disabled]. Default: disabled.
ospfd.status - enable the OSPFv2 protocol daemon [enabled/disabled]. Default: disabled.
ripd.status - enable the RIP v1 and V2 protocol daemon [enabled/disabled]. Default: disabled.
bgpd.status - enable the BGPv4+ protocol daemon [enabled/disabled]. Default: disabled.
To configure the Quagga software, place configuration files in /etc/persistent/quagga folder. How to configure the Quagga software read on http://www.quagga.net/docs/.
IPsec
The IPsec protocol client enables the WILI-S device to establish a secure connection to an IPsec peer via the Internet. IPsec is supported in two modes - transport and tunnel. Transport mode creates secure point to point channel between two hosts, eg. AP and client. Tunnel mode can be used to build a secure connection between two remote LANs serving as a VPN solution. A number of independent secure channels of either mode may be established simultaneously.
| | The IPsec feature is not supported on the Wistron CA8-4, Wistron RDAT-81, Compex WP54AG/WP54G platforms due to HW specific restrictions. |
IPsec can be configured using the following keys:
ipsec.status – specify the IPsec service status [enabled/disabled].
ipsec.<index>.status – specify the IPsec entry status [enabled/disabled]. Default: disabled.
ipsec.<index>.mode – specify the IPsec operating mode for this entry [transport/tunnel].
ipsec.<index>.point_src.ip – specify the source IP address.
ipsec.<index>.point_dst.ip – specify the destination IP address.
ipsec.<index>.ah.in.spi – specify the inbound security parameter index [256-65535].
ipsec.<index>.ah.out.spi – specify the outbound security parameter index [256-65535].
ipsec.<index>.ah.algo – specify the authentication algorithm [hmac-md5/hmac-sha1/keyed-md5/keyed-sha1/null/hmac-sha2-256/hmac-sha2-384/hmac-sha2-512/hmac-ripemd160/aes-xcbc-mac].
ipsec.<index>.ah.secret – specify the authentication secret [string]. Secret’s length depends on selected algorithm, eg. 128 bit long secret is 16 characters in length, 128 bits / 8 bits (one character) = 16. The algorithm key lengths in bits are:
- hmac-md5 - 128
- hmac-sha1 - 160
- keyed-md5 - 128
- keyed-sha1 - 160
- null - 0 to 2048
- hmac-sha2-256 - 256
- hmac-sha2-384 - 384
- hmac-sha2-512 - 512
- hmac-ripemd160 - 160
- aes-xcbc-mac - 128
ipsec.<index>.esp.in.spi – specify the inbound compression [256-65535].
ipsec.<index>.esp.out.spi – specify the outbound compression [256-65535].
ipsec.<index>.esp.auth.algo – specify the ESP authentication algorithm [hmac-md5/hmac-sha1/keyed-md5/keyed-sha1/null/hmac-sha2-256/hmac-sha2-384/hmac-sha2-512/hmac-ripemd160/aes-xcbc-mac].
ipsec.<index>.esp.auth.secret – specify the ESP authentication secret [string]. Secret’s length depends on selected algorithm, eg. 128 bit long secret is 16 characters in length, 128 bits / 8 bits (one character) = 16. The algorithm key lengths in bits are:
- des-cbc - 64
- null - 0 to 2048
- blowfish-cbc - 40 to 448
- cast128-cbc - 40 to 128
- des-deriv - 64
- 3des-deriv - 192
- rijndael-cbc -128/192/256
v* twofish-cbc - 0 to 256
- aes-ctr - 160/224/288
ipsec.<index>.esp.enc.algo – specify the ESP encryption algorithm [des-cbc/3des-cbc/null/blowfish-cbc/cast128-cbc/des-deriv/3des-deriv/rijndael-cbc/twofish-cbc/aes-ctr].
ipsec.<index>.esp.enc.secret – specify the ESP encryption secret [string]. Secret’s length depends on selected algorithm, eg. 128 bit long secret is 16 characters in length, 128 bits / 8 bits (one character) = 16. The algorithm key lengths in bits are:
- des-cbc - 64
- null - 0 to 2048
- blowfish-cbc - 40 to 448
- cast128-cbc - 40 to 128
- des-deriv - 64
- 3des-deriv - 192
- rijndael-cbc -128/192/256
- twofish-cbc - 0 to 256
- aes-ctr - 160/224/288
ipsec.<index>.ipcomp.in.spi – specify the inbound compression [256-65535].
ipsec.<index>.ipcomp.out.spi – specify the outbound compression [256-65535].
ipsec.<index>.ipcomp.compression – specify the compression mode [deflate/oui/lzs].
ipsec.<index>.spd.<index>.status – specify current SPD (security policy database) entry status [enabled/disabled].
ipsec.<index>.spd.<index>.src.ip – specify the SPD source IP address.
ipsec.<index>.spd.<index>.src.netmask – specify the source netmask bit-count [0-32].
ipsec.<index>.spd.<index>.dst.ip – specify the SPD destination IP address.
ipsec.<index>.spd.<index>.dst.netmask – specify the destination netmask bit-count [0-32].
ipsec.<index>.spd.<index>.protocol.<index>.status – specify current SPD protocol entry status [enabled/disabled]. Default: enabled.
ipsec.<index>.spd.<index>.protocol.<index>.name – specify the SPD protocol name [esp/ah/ipcomp]. The SPD protocol name is mandatory parameter.
ipsec.<index>.spd.<index>.protocol.<index>.level – specify the level [default/use/require/unique]. Default level "require" will be used for esp and ah protocols. Default level "use" will be added to ipcomp protocol.
Example: The sample configuration below defines a policy, which allows WILI-S device with IP address 192.168.4.8 to access stations on LAN2 (IP address range 192.168.1.0/24) behind IPsec supporting router 192.168.4.10. IPsec tunnel is set between WILI-S based device and router. Do not forget to setup routing on 192.168.4.8 so it knows that LAN2 (192.168.1.0/24) network is reachable through 192.168.4.10. Otherwise packets leaving device and destined to LAN2 will be routed through default gateway (which might not be the case in your setup, be careful).
# 192.168.4.8 (WILI) <========== LAN1 ==========> 192.168.4.10 (Router) # ^ # Station 1 (192.168.1.2) --------- LAN2 (192.168.1.0/24) ------- # # Station 2 (192.168.1.103) ------+ # ipsec.status=enabled ipsec.1.mode=tunnel # tunnel end point IP addresses : local/remote ipsec.1.point_src.ip=192.168.4.8 ipsec.1.point_dst.ip=192.168.4.10 # # Security Policy Indexes (SPI) (value in HEX) ipsec.1.esp.out.spi=0x4000 ipsec.1.esp.in.spi=0x5000 # # authentication key 'alabrstysaaslu!e' or hexadecimal # 16c616272737479736161736c752165 ipsec.1.esp.auth.algo=hmac-md5 ipsec.1.esp.auth.secret=alabrstysaaslu!e # # encryption key 'alabrsty' or in hexadecimal 616c616272737479 ipsec.1.esp.enc.algo=des-cbc ipsec.1.esp.enc.secret=alabrsty # # Security Policy Database (SPD) entries ipsec.1.spd.1.src.ip=192.168.4.8 ipsec.1.spd.1.src.netmask=32 ipsec.1.spd.1.dst.ip=192.168.1.0 ipsec.1.spd.1.dst.netmask=24 ipsec.1.spd.1.protocol.1.name=esp ipsec.1.spd.1.protocol.1.level=require # # install route telling 192.168.1.0/24 is behind 192.168.4.10 # do not forget to adjust 20 to a reasonable value route.20.ip = 192.168.1.0 route.20.netmask = 24 route.20.devname = ixp1 route.20.gateway = 192.168.4.10
| | The IPSec Tunnel (VPN Gateway) should be configured at the remote router (192.168.4.10) side properly. |
The valid configuration should include settings like:
- Local Secure Network (192.168.1.0/255.255.255.0)
- Remote Secure Gateway IP address (192.168.4.8)
- Key Exchange Method (Manual)
- Encryption Algorithm (DES)
- Encryption Key (value in hexadecimal is “616c616272737479”)
- Authentication Algorithm (MD5)
- Authentication Key (value in hexadecimal is “616c616272737479736161736c752165”)
- Inbound SPI (value in HEX is “4000”)
- Outbound SPI (value in HEX is “5000”)
IPsec Racoon
| | The IPsec feature is not supported on the Wistron CA8-4 platforms due to HW specific restrictions. |
The establishment of the Security Association (IPsec-SA) between two peers is needed for IPsec communication. It can be done by using manual or automated configuration.
IPsec Racoon uses the Internet Key Exchange (IKE) for automatically keying IPsec connections.
Several parameters (Keys) are exchanged between peers in order to establish the IPsec-SA. Racoon exchange routine by using IKE has two phases: establishing SA for own communication (IKE-SA) and establishing IPsec-SA.
IPsec system maintains two databases: Security Policy Database (SPD) which defines whether to apply IPsec to a packet or not and specify which/how IPsec-SA is applied and Security Association Database (SAD), which contain Key of each IPsec-SA.
The basic mechanism of applying the IPsec-SA to a packet is the following:
- The administrator sets a policy to SPD
- System refers to SPD in order to make a decision of applying IPsec to a packet
- If IPsec is required, then system get the Key for IPsec-SA from SAD
- If it is failed, then system send a request to get the Key to IPsec Racoon
- IPsec Racoon exchange the Key by using IKE with the other to be established IPsec-SA
- IPsec Racoon put the Key into SAD
- System can send a packet applied IPsec
| | Racoon needs access to UDP port 500. Make sure that your firewall configuration does not block this port. |
IPsec Racoon can be configured using the following keys:
racoon.status – specify the status of racoon service [enabled/disabled].
racoon.psk.<index>.status – specify current configuration entry status [enabled/disabled]. Default: enabled.
racoon.psk.<index>.identifier – specify the remote host IP address.
racoon.psk.<index>.secret – specify the secret preshared key [string].
Example:
racoon.status=enabled racoon.psk.1.status=enabled racoon.psk.1.identifier=192.168.2.151 racoon.psk.1.secret=VeRy$ecr3t
GRE
GRE (Generic Routing Encapsulation RFC2784) is a solution for tunneling RFC1812 private address-space traffic over an intermediate TCP/IP network such as the Internet. GRE tunneling does not use encryption it simply encapsulates data and sends it over the WAN. Administrators should therefore take care that no unencrypted private information passes through a GRE tunnel. Created GRE tunnels will appear as regular network interfaces, eg., gre1, gre4.
tunnel.gre.status – specify the GRE tunnel status [enabled/disabled]. Default: disabled.
tunnel.gre.<index>.status – specify current GRE entry status [enabled/disabled]. Default: enabled.
tunnel.gre.<index>.devname – specify custom GRE tunnel interface name [custom string up to 15 characters in length]. Bind the tunnel to the specified interface so that tunneled packets will only be routed through this interface and will not escape to another interface when the route to endpoint changes. If not specified, default interface name will be gre<index>.
tunnel.gre.<index>.local.ip – specify the fixed local IP address for tunneled packets. It must be an address of another interface of the device. Default '0.0.0.0' means that no fixed address will used for local endpoint. In this case local endpoint address for that tunnel will be automatically assigned by the routing process.
tunnel.gre.<index>.remote.ip – specify the remote tunnel endpoint IP address. Default '0.0.0.0' means accept any remote endpoint.
tunnel.gre.<index>.parent – specify the parent interface name. Bind the tunnel to the specified interface so that tunneled packets will only be routed through this interface and will not be able to escape to another interface when the route to endpoint changes.
tunnel.gre.<index>.ttl – specify the fixed time-to-live (TTL) value on tunneled packets [0-255]. The 0 is a special value meaning that packets inherit the TTL value. Default: 0.
tunnel.gre.<index>.pmtudiscovery – the Path Maximum Transmission Unit Discovery (PMTUD) status on this tunnel [enabled/disabled]. Default: enabled.
Example:
tunnel.gre.status=enabled
tunnel.gre.1.status=enabled tunnel.gre.1.devname=gre1 tunnel.gre.1.local.ip=0.0.0.0 tunnel.gre.1.remote.ip=192.168.2.2 tunnel.gre.1.ttl=255 tunnel.gre.1.pmtudiscovery=enabled
tunnel.gre.2.status=enabled tunnel.gre.2.devname=gre2 tunnel.gre.2.local.ip=192.168.2.12 tunnel.gre.2.remote.ip=192.168.2.13 tunnel.gre.2.parent=eth0 tunnel.gre.2.ttl=0 tunnel.gre.2.pmtudiscovery=disabled
This configuration will create two GRE tunnels with following parameters:
gre1 - remote end ip 192.168.2.2
local end will be chosen automatically using routing process
TTL value will be 255 with path MTU discovery.
gre2 - remote end ip 192.168.2.13,
local end will used existing device with ip 192.168.2.12, bound to eth0 interface,
it actually means that on device there should be configured interface eth0 with ip address 192.168.2.12,
TTL value will be inherited,
path MTU discovery disabled.
VTun Tunneling
Use this keys to create Virtual Tunnels over TCP/IP networks traffic compression and encryption. The VTun (Virtual Tunnel) is managed using following configuration keys:
Global keys, valid for all sessions:
tunnel.vtun.status - specify VTun daemon status [enabled|disabled]. Default - disabled
tunnel.vtun.mode - specify operating mode [client/server]. This field is mandatory.
tunnel.vtun.timeout - specify connect timeout in seconds [integer]. Default: 60.
tunnel.vtun.port - specify the port number to listen(server) or send (client)[0-65535]. Default: 5000.
Local keys for particular session:
tunnel.vtun.<index>.passwd - specify password for authentication [string]. The password should be the same on client and on server.
tunnel.vtun.<index>.proto - specify protocol to operate [tcp/udp].Client ignores it. Default: udp.
tunnel.vtun.<index>.compress - [enabled/disabled/zlib/lzo]. If enabled, system will use default compression method - zlib. Client ignores it. Default: disabled..
tunnel.vtun.<index>.encrypt - specify encryption status [enabled/disabled]. Client ignores it. Default: disabled.
tunnel.vtun.<index>.remote.ip - specify server's IP address for client to connect [IP address]. Mandatory for client.
tunnel.vtun.<index>.virtual_local.ip - specify virtual IP of local machine in tunnel [IP address]. Mandatory.
tunnel.vtun.<index>.virtual_remote.ip - specify virtual IP of remote machine in tunnel [IP address]. Mandatory.
tunnel.vtun.<index>.mtu - specify maximum transfer unit [integer]. Default: 1500.
tunnel.vtun.<index>.session - specify the name of the session. Mandatory.
tunnel.vtun.<index>.route.<index>.ip - specify the network IP address [IP address].
tunnel.vtun.<index>.route.<index>.netmask - specify the network mask prefix of the route
tunnel.vtun.<index>.route.<index>.table - specify the ID of the route table [0-255]. Optional. The table numbers 0, 253-255 are reserved.
Example:
#Client configuration sample tunnel.vtun.status=enabled tunnel.vtun.mode=client tunnel.vtun.port=5000 tunnel.vtun.timeout=70 tunnel.vtun.1.session=wilibox tunnel.vtun.1.passwd=admin02 tunnel.vtun.1.local_virtual.ip=10.200.0.2 tunnel.vtun.1.remote_virtual.ip=10.200.0.1 tunnel.vtun.1.remote.ip=192.168.2.205 tunnel.vtun.1.mtu=1700 tunnel.vtun.1.route.1.ip=192.168.100.0 tunnel.vtun.1.route.1.netmask=24 tunnel.vtun.1.route.1.table=121 # #Server configuration sample: tunnel.vtun.status=enabled tunnel.vtun.mode=server tunnel.vtun.port=5000 tunnel.vtun.timeout=70 tunnel.vtun.1.session=wilibox tunnel.vtun.1.passwd=admin02 tunnel.vtun.1.local_virtual.ip=10.200.0.1 tunnel.vtun.1.remote_virtual.ip=10.200.0.2 tunnel.vtun.1.remote.ip=192.168.2.205 tunnel.vtun.1.mtu=1700
This config will create tunnel from client side. Output from ifconfig:
tun0 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.200.0.2 P-t-P:10.200.0.1 Mask:255.255.255.255
VPN Tunneling
Virtual Private Network (VPN) feature uses OpenVPN program for creating point-to-point or server-to-multiclient encrypted tunnels between host computers. This allows secure communications through the public Internet. For more information access documentation section of http://openvpn.net website.
| | Do not re-use the same certificate/key pair among multiple clients. Also you should provide a unique common name for every client's certificate when generating them.
When using SSL/TLS certificates make sure that date on device is correct (you may need to use NTP or set date.manual configuration key) or VPN may fail with 'certificate not yet valid' error message. |
WILI-S/WILI-MESH implements a subset of OpenVPN configuration options which are described below.
tunnel.vpn.status – specify the status of the VPN tunnel [enabled/disabled]. Default: disabled.
tunnel.vpn.<index>.status – specify the status of the particular VPN tunnel profile [enabled/disabled].
tunnel.vpn.<index>.devname – specify the tunnel device name [tun/tapX, where X is tunnel interface number]. Default: tun. TUN devices are used for IP tunneling, they operate in OSI layer 3 and are used on routers. TAP devices operate in OSI layer 2 and are used for bridging. TUN device is created automatically by OpenVPN program, TAP device is created before OpenVPN is started by bridge plugin, i.e. tap5 will be created when it is being added into bridge: bridge.1.port.3.devname=tap5.
tunnel.vpn.<index>.mode – specify the VPN tunnel working mode [server/server_bridge/client]. When configuring server_bridge mode, TAP device should be created by adding tapX device to bridge and specifying in tunnel.vpn.<index>.devname=tapX configuration option.
The following configuration options should be specified for server mode:
- tunnel.vpn.<index>.server.network – specify the network address. Server will set the first address of the specified network on tunnel interface, and allocate other addresses for clients.
- tunnel.vpn.<index>.server.netmask – specify the netmask for the above network address.
The following configuration options should be specified for server_bridge mode:
- tunnel.vpn.<index>.server_bridge.gateway – specify either the IP of the bridge interface, or the IP of the default gateway/router on the bridged subnet.
- tunnel.vpn.<index>.server_bridge.netmask – specify either the netmask of the bridge interface, or the netmask of the default gateway/router on the bridged subnet.
- tunnel.vpn.<index>.server_bridge.pool_start – specify the first IP address of the IP address pool from the bridged subnet for allocating to clients.
- tunnel.vpn.<index>.server_bridge.pool_stop – specify the last IP address of the IP address pool from the bridged subnet for allocating to clients.
| | tunnel.vpn.<index>.mode configuration key should not be specified, when trying to configure tunnel in point-to-point mode with a preshared key.
|
tunnel.vpn.<index>.proto – specify the tunnel protocol [tcp/udp]. Default is udp.
tunnel.vpn.<index>.port – specify the port for both local and remote tunnel endpoints. Default is 1194.
tunnel.vpn.<index>.ca – specify the SSL/TLS root certificate file in PEM format. The file should be uploaded into /etc/persistent/ca_cert/ directory.
tunnel.vpn.<index>.cert – specify the local certificate file in PEM format signed by CA specified above. The file should be uploaded into /etc/persistent/public_cert/ directory.
tunnel.vpn.<index>.key – specify the local private key file in PEM format. The file should be uploaded into /etc/persistent/private_key/ directory using secure SFTP/SCP utilities.
tunnel.vpn.<index>.duplicate_cn - allow multiple clients to connect with the same certificate/key files or common names. This is recommended only for testing purposes. For production use, each client should have its own certificate/key pair.
tunnel.vpn.<index>.dh – specify the Diffie Hellman parameters file. The file should be uploaded into /etc/persistent/dh_keys/ directory. It is used for server only.
tunnel.vpn.<index>.pkcs12 – specify the PKCS #12 format file, which includes local private key, local certificate, and root CA certificate. It is used instead of files specified in .ca .cert .key configuration options above.
tunnel.vpn.<index>.secret – specify the pre-shared secret file.
tunnel.vpn.<index>.compression – enable or disable fast adaptive LZO compression [enabled/disabled]. Default is disabled.
tunnel.vpn.<index>.client_to_client - allow different clients to be able to "see" each other.
tunnel.vpn.<index>.local – specify the local IP address or host name of interface to bind to. By default OpenVPN binds to all interfaces.
tunnel.vpn.<index>.remote – specify the remote IP address or host name to connect to.
tunnel.vpn.<index>.remote.port – specify the port of the remote host.
tunnel.vpn.<index>.ifconfig.l – specify the IP address or hostname of the local VPN endpoint. This is used for point-to-point mode.
tunnel.vpn.<index>.ifconfig.rn – specify the IP address or hostname of the remote VPN endpoint when tunneling through TUN device, or netmask when device is TAP. This is used for point-to-point mode.
tunnel.vpn.<index>.route.<index>.status – specify the status of the specified route [enabled/disabled]. Default is enabled.
tunnel.vpn.<index>.route.<index>.ip – specify the IP/network address or host name of the route entry.
tunnel.vpn.<index>.route.<index>.netmask – specify the netmask. By default 255.255.255.255 is used.
tunnel.vpn.<index>.route.<index>.gateway – specify the IP address or host name of the gateway for the route entry.
tunnel.vpn.<index>.push.<index>.option – specify the OpenVPN configuration file option to push to clients. For example, specifying tunnel.vpn.1.push.1.option=redirect-gateway def1 will direct clients to change their default gateway to the tunnel endpoint. There is a number of options which could be used here. Refer to OpenVPN documentation http://openvpn.net/index.php/documentation/manuals/openvpn-20x-manpage.html for more information.
tunnel.vpn.<index>.ping – specify the interval in seconds to ping the remote if no packets were sent. You will need to disable keepalive to use this option. See keepalive option description below.
tunnel.vpn.<index>.ping_restart – specify the number of seconds to wait for ping/other packet before restarting VPN. You will need to disable keepalive to use this option. See keepalive option description below.
tunnel.vpn.<index>.keepalive.status – specify the status of keepalive option [enabled/disabled]. Default is enabled.
tunnel.vpn.<index>.keepalive.interval – specify the interval in seconds to ping the remote if no packets were sent. Default is 10.
tunnel.vpn.<index>.keepalive.restart – specify the number of seconds to wait for ping/other packet before restarting VPN. Default is 120.
These keepalive parameters are expanded internally by OpenVPN as follows:
if mode server: ping 10 ping-restart 120 push "ping 10" push "ping-restart 60" else ping 10 ping-restart 60
tunnel.vpn.<index>.verb – specify the verbosity level of OpenVPN messages in the syslog. Default is 1. Possible values:
| Verbosity level | Description |
|---|---|
| 0 | no output except fatal errors |
| 1 to 4 | normal use range |
| 5 | output R and W characters for each packet read and write, uppercase is used for TCP/UDP packets and lowercase is used for TUN/TAP packets |
| 6 to 11 | debug info range |
PPP
PPP (Point to Point Protocol) is the protocol used for establishing internet links over dial-up modems, DSL connections, and many other types of point-to-point links. The pppd daemon works together with the kernel PPP driver to establish and maintain a PPP link with another system (called the peer) and to negotiate Internet Protocol (IP) addresses for each end of the link. Pppd can also authenticate the peer and/or supply authentication information to the peer.
ppp.status - specify status of the PPP [enabled/disabled].
ppp.<index>.status - specify status of the particular PPP link [enabled/disabled].
ppp.<index>.name - specify the PPP link profile name [string].
ppp.<index>.ttyname - specify serial port to communicate with the peer [string]. Default: /dev/ttyUSB0].
ppp.<index>.speed - specify the baud rate for the serial device [integer]. Default: 115200]
ppp.<index>.maxfail - specify number of the consecutive failed connection attempts, after which the link will be terminated [integer, no limits] . default: 0.
ppp.<index>.user - specify name used for authenticating the local system to the peer [string].
ppp.<index>.password - specify the password that will be used for authenticating to the peer [string].
ppp.<index>.mtu - specify the Maximum Transmission Unit [integer], Default: 1500. Unless the peer requests a smaller value via MRU negotiation, pppd will request that the kernel networking code send data packets of no more than n bytes through the PPP network interface.]
ppp.<index>.mru - specify the Maximum Receive Unit [integer]. Default: 1500. Pppd will ask the peer to send packets of no more than n bytes.
ppp.<index>.lcp_echo_failure - specify number of LCP echo-requests to be sent without receiving a valid LCP echo-reply to presume the peer to be dead [integer]. From WILI-S 5.21.
ppp.<index>.lcp_echo_interval - specify number of the seconds at which the pppd will send an LCP echo-request frame to the peer [integer]. From WILI-S 5.21.
ppp.<index>.add_default_route - specify enabled to add a default route to the system routing tables, using the peer as the gateway, when IPCP negotiation is successfully completed [enabled/disabled]. Default: enabled.
ppp.<index>.use_peer_dns - specify status whether use peer’s DNS servers [enabled/disabled] Default: enabled.
ppp.<index>.debug - specify connection debugging status [enabled/disabled]. Default: disabled. If this option is given, pppd will log the contents of all control packets sent or received in a readable form. The packets are logged through syslog with facility daemon and level debug.
ppp.<index>.chat.pin - specify the the pin for the GSM SIM card [integer].
ppp.<index>.chat.apn - specify the name of an access point for GPRS/UMTS [string].
ppp.<index>.chat.phone - specify the phone number to dial [string].
ppp.<index>.chat.init.<index>.value - specify the modem initialization string to be inserted in chat [string].
Configuration example:
ppp.status=enabled ppp.1.status=enabled ppp.1.name=wap ppp.1.user=bite ppp.1.password=bite ppp.1.ttyname=/dev/ttyUSB0 ppp.1.chat.pin=1234 ppp.1.chat.apn=wap ppp.1.chat.phone=*99#
PPPoE
PPPoE is a protocol typically used by DSL providers to manage IP addresses and authenticate users. Essentially, PPPoE provides for a PPP connection to be established not over a physical serial-line or modem, but over a logical connection between two unique MAC addresses on an Ethernet network.
pppoe.status – specify the status of the PPPoE [enabled/disabled]. Default: disabled.
pppoe.<index>.status – specify the status of the particular PPPoE profile [enabled/disabled].
pppoe.<index>.name – specify name of the PPPoE profile [string]
pppoe.<index>.devname – specify name of the interface peer can be connected through [string]. The interface should be "up" before you start PPPoE, but should not be configured to have an IP address (refer to the section Interface for detailed information on interface configuration).
pppoe.<index>.user – specify name which will be used for authenticating the local system to the peer [string].
pppoe.<index>.password – specify the password for the user authentication [string].
pppoe.<index>.service_name – specify the service name set on the access concentrator [string]. PPPoE will only initiate sessions with access concentrators which can provide the specified service.
pppoe.<index>.ac_name – specify the desired access concentrator name [string]. PPPoE will only initiate sessions with the specified access concentrator.
pppoe.<index>.maxfail – terminate after n consecutive failed connection attempts [integer]. Default: 0 (no limit).
pppoe.<index>.mtu – specify the Maximum Transmission Unit [integer]. Default: 1500.
pppoe.<index>.mru – specify the Maximum Received Unit [integer]. Default: 1500.
pppoe.<index>.add_default_route – specify enabled to add a default route to the system routing tables using the peer as the gateway, when IPCP negotiation is successfully completed [enabled/disabled]. Default: enabled.
pppoe.<index>.use_peer_dns – specify status whether use peer’s DNS servers [enabled/disabled] Default: enabled.
pppoe.<index>.lcp_echo_failure – specify the number of LCP echo-requests that will be sent without receiving a valid LCP echo-reply at which the pppd will consider the peer to be dead [integer]. If this happens, pppd will terminate the connection. Use of this option requires a non-zero value for the lcp-echo-interval parameter. This option can be used to enable pppd to terminate after the physical connection has been broken (e.g., the modem has hung up) in situations where no hardware modem control lines are available.
pppoe.<index>.lcp_echo_interval – Specify the time interval in seconds at which an LCP echo-request frame will be sent by the pppd to the peer [integer]. Normally the peer should respond to the echo-request by sending an echo-reply. This option can be used with the lcp-echo-failure option to detect that the peer is no longer connected.
pppoe.<index>.persist - do not exit after a connection is terminated; instead try to reopen the connection.[enabled|disabled]. Default: enabled. The maxfail option still has an effect on persistent connections.
pppoe.<index>.holdoff - specify how many seconds to wait before re-initiating the link after it terminates [integer, time in seconds]. This option only has any effect if the persist or demand option is used. The holdoff period is not applied if the link was terminated because it was idle.
pppoe.<index>.debug – specify connection debugging status [enabled/disabled]. Default: disabled]. If this option is given, pppd will log the contents of all control packets sent or received in a readable form. The packets are logged through syslog with facility daemon and level debug.
Example:
pppoe.status=enabled pppoe.1.status=enabled pppoe.1.name=pppoe pppoe.1.user=user_name pppoe.1.password=user_password pppoe.1.devname=ixp0 pppoe.1.mtu=1460 pppoe.1.mru=1460
Wireless Settings
This section describes radio hardware (Wireless Radio) and wireless interface settings (Wireless Interface), WLAN locking, VSSID, wireless access control list (ACL), client bridge, station supervision settings.
Wireless Radio
This section provides the description of the general parameters of the radio hardware such as:
- Country code
- IEEE mode
- Auto channel selection
- Radio operating mode
- Turbo mode
- Data transfer rate
- Automatic data transfer rate
- Fragmentation
- ACK timeout
- RTS
- Transmit power (dBm)
- RX/TX antenna diversity
- Half and quarter rate channel support (available from WILI-S 5.00)
- FCC security band support (available from WILI-S 5.00)
All available keys of the radio hardware configuration are listed below:
radio.status – specify the radio module status [enabled/disabled]. Default: disabled.
radio.countrycode – specify the device’s country code. Refer to ISO Country Codes for syntax of your country code. The country code can be specified as 2 or 3 letters or number code.
radio.outdoor – specify the operation mode [0/1]. 0 is indoor, 1 is outdoor. Default: 0.
radio.xchanmode – specify the extended channel mode status [0/1]. 0 is disabled, 1 - enabled. Default: 1.
radio.<index>.status – specify current radio configuration entry status [enabled/disabled].
radio.<index>.devname – specify current wireless interface name.
radio.<index>.parent – the hardware wireless interface name, eg. wifi0, wifi1 [string].
radio.<index>.mode – specify the operating mode of the device [Managed/Master]. The device mode depends on the network topology.
- Managed. In this mode node connects to a network composed of many access points with roaming.
- Master. In this mode node is the synchronization master or acts as an access point.
radio.<index>.channel – specify the wireless channel [number, depends on country code settings and operation mode]. Multiple channels are available to avoid interference between nearby access points. If you wish to operate more than one access point in overlapping coverage areas, we recommend a distance of at least four channels between the chosen channels. The list of available channels is in the table Regulatory Domain/Channels.
For master operating mode the WILI-S has the auto channel function. It is used to find the best channel for client-access point communication (either an unused channel or if all are in use the least occupied one - that with the lowest measured signal strength). The channel list to select channels from can be specified for auto channel.
radio.<index>.autochannel.status – specify the auto channel status [enabled/disabled].
radio.<index>.autochannel.<index>.status – specify current auto channel entry status [enabled/disabled].
radio.<index>.autochannel.<index>.channel – specify one channel from auto channel list [number, depends on country code settings and operation mode]. The list of available channels is in the table Regulatory Domain/Channels.
radio.<index>.rate.max – specify the wireless transmission speed (in bits/sec, by default). Real data transmission speed will be lower due to distance, obstacles in wireless signal path and wireless protocol overhead. You may append the suffix k, M or G to the value (decimal multiplier: 10^3, 10^6 and 10^9 bits/s), or add enough zeros.
| Wireless Network Mode | The Bit-Rates (Mbps) |
|---|---|
| B | 1Mbps 2Mbps 5.5Mbps 11Mbps |
| G | 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps |
| A | 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps |
radio.<index>.rate.auto – specify the automatic bit-rate mode status [enabled/disabled]. Default: enabled. This setting sets automatic bit-rate mode with fallback to lower rate on noisy channels, which is the default for most cards. If you specify a bit-rate value (radio.<index>.rate.max) and set auto to enabled, the driver will use all bit-rates lower or equal to this value.
radio.<index>.frag – specify the fragmentation threshold (in bytes), which determines whether data frames will be fragmented and at what size [256-2346/off]. On a 802.11 wireless LAN, frames exceeding the fragmentation threshold will be fragmented, i.e., split into smaller units suitable for the circuit size. Data frames smaller than the specified fragmentation threshold value are not fragmented. Default: off.
Setting a lower fragmentation threshold value can help improve connection reliability in noisy environments (where radio interference is present). This mechanism does add overhead and therefore reduces effective throughput.
radio.<index>.rts – specify the maximum packet size beyond which the wireless LAN card invokes it’s RTS/CTS mechanism [0-2347/off]. Packets that exceed the specified RTS threshold trigger the RTS/CTS mechanism. The card transmits packets smaller than this threshold without using RTS/CTS. Default: off.
Setting a lower RTS threshold value can improve connection reliability and throughput in crowded wireless LAN environments (where many clients are trying to communicate simultaneously). It adds a certain amount of overhead, but can compensate for this by reducing bandwidth lost due to collisions.
radio.<index>.txpower – specify the wireless card transmission power in dBm [off/number].
radio.<index>.ieee_mode – specify the wireless network mode [auto/A/B/G/PUREG/AST]. Default: auto.
Meaning of auto depends on operating mode (radio.<index>.mode). If operating mode is Master then A mode will be set. For B/G-only radios, G mode will be set. If operating mode is Managed, radio will begin searching for AP starting with A mode and then switching to B and G until it finds an AP to associate to. PUREG mode means accepting only G clients (aka G-only mode). AST means 802.11a Static Turbo mode.
| | Check with your country regulations before setting Static Turbo mode. |
radio.<index>.turbo – specify the status of dynamic turbo mode [enabled/disabled]. Default: disabled. Set dynamic turbo mode with combination of throughput enhancement functionality (see: wireless.<index>.fastframes, wireless.<index>.frameburst, wireless.<index>.compression keys description in next section Wireless interface)
| | Turbo mode is available only for 802.11a and 802.11g. |
radio.<index>.rx_antenna – specify antenna for receiving [1/2]. Default: 1.
radio.<index>.rx_antenna_diversity – specify receiving antenna diversity status [enabled/disabled]. Default: enabled. Antenna diversity controls the signal strength on each antenna and switches to the one with better strength. This works if radio.<index>.rx_antenna is set to 2.
radio.<index>.tx_antenna – specify antenna for transmitting [1/2]. Default: 1.
radio.<index>.tx_antenna_diversity – specify the transmitting antenna diversity status [enabled/disabled]. Default: enabled. Antenna diversity controls the signal strength on each antenna and switches to the one with better strength. This works if radio.<index>.tx_antenna is set to 2.
radio.<index>.ani - specify status for controlling interference mitigation/Ambient Noise Immunity (ANI) [enabled/disabled].
radio.<index>.acktimeout – specify the ACK timeout value [numeric value].
radio.<index>.chanattr.<index>.status – specify the status of special channel attribute usage: channel bandwidth [enabled/disabled] . Default: enabled.
radio.<index>.chanattr.<index>.channel – specify one channel number on which bandwidth narrowing (half/quarter) will be set [channel].
radio.<index>.chanattr.<index>.bw – specify desirable channel bandwidth for specified channel [full/half/quarter]. Default: full. Default channel bandwidth for 802.11 radio is 20MHz for 11a mode and 22 MHz for 11g mode (for turbo modes they double). But it is possible to narrow it 2x or 4x times. Though this will drop data transfer rates accordingly, but it will increase power density and may help to achieve greater operation distances.
| | Do not use channel bandwidth narrowing in turbo modes. |
radio.<index>.chanattr.<index>.freq - specify frequency, e.g. 2412 [integer].
radio.<index>.ctstimeout – specify the CTS timing value [numeric].
radio.<index>.slottime – specify the Slot time value [numeric].
Example:
radio.status=enabled radio.1.status=enabled radio.1.acktimeout=48 radio.1.autochannel.status=enabled radio.1.autochannel.1.status=enabled radio.1.autochannel.1.channel=3 radio.1.autochannel.2.status=enabled radio.1.autochannel.2.channel=6 radio.1.autochannel.3.status=enabled radio.1.autochannel.3.channel=8 radio.1.devname=ath0 radio.1.frag=off radio.1.ieee_mode=G radio.1.mode=master radio.1.rate.auto=enabled radio.1.rate.max=54M radio.1.rts=off radio.1.rx_antenna=1 radio.1.rx_antenna_diversity=disabled radio.1.tx_antenna=1 radio.1.tx_antenna_diversity=disabled radio.1.txpower=auto
Wireless Interface
This section provides the description of the general wireless LAN interface parameters. The administrator is able to setup using this section:
- WEP encryption
- SSID
- SSID broadcasting suppression
- Maximum number of clients
- Country element (IEEE 802.11d)
- Power constrain and channel switch for IEEE 802.11h
- Layer 2 isolation
- Throughput enhancements (fast frames, packet bursting, compression) (available from WILI-S 5.00)
- WMM (available from WILI-S 5.00)
All available wireless interface configuration keys are listed below:
wireless.status – specify the wireless interface function status [enabled/disabled]. Default: disabled.
wireless.<index>.status – specify the wireless interface entry status [enabled/disabled]. Default: enabled.
wireless.<index>.devname – specify the wireless interface name. The value for this key should be “ath0”.
wireless.<index>.ssid – specify a unique name for your wireless network. The string is case sensitive and up to 32 characters in length [printable characters and spaces, no control characters, mandatory].
wireless.<index>.ssid_broadcast – specify the master operating mode SSID broadcasting status [enabled/disabled]. When disabled, the AP’s SSID will not show up in the network list when a client scans for available networks. By default SSID broadcasting is enabled. Do not use this feature as a security measure.
wireless.<index>.l2_isolation – specify the layer 2 wireless client separation status [enabled/disabled]. Layer 2 isolation blocks the wireless clients from communicating with each other.
wireless.<index>.max_clients – specify the maximum number of connected clients [0-2147483647]. Default: 64.
wireless.<index>.security – specify the Wired Equivalent Privacy (WEP) encryption method [wep64/wep128/none]. Default mode is: none.
wireless.<index>.security.mode – specify the security mode [restricted/open]. The default mode is restricted.
- Restricted. In this mode clients can connect only with WEP encryption configured.
- Open. This mode allows clients with WEP security or without any security to connect.
wireless.<index>.security.<index>.key – specify the WEP security keys. WEP keys should be entered as a series of colon-separated hexadecimal (0-9, A-F, and a-f) pairs:
- 5 pairs for 64-bit WEP security (eg. 00:AC:01:35:FF)
- 13 pairs for 128-bit WEP security (eg. 00:11:22:33:44:55:66:77:88:99:AA:BB:CC)
| | You can configure up to 4 security keys. |
wireless.<index>.security.default_key – specify the index of the default key, used to encrypt the data before it is transmitted [1-4].
| | The same key value must also be entered in the WLAN card configuration for each of the wireless clients. |
wireless.<index>.authmode – specify the authentication mode of the AP [1/2/4]. Default: 4.
- 1 – Open system. This setting allows any device, regardless of its WEP keys, to authenticate and attempt to associate.
- 2 – Shared key. This setting tells the AP to send a plain-text, shared key query to any device that attempts to associate with the AP.
- 4 – Auto. This setting uses both modes (Open system and Shared key).
wireless.<index>.country_element – specify the country element status [enabled/disabled]. Default: disabled. With this key enabled, system adds Country Element to beacons and probe responses according to IEEE 802.11d.
wireless.<index>.power_constrain – specify the power constrain status [enabled/disabled]. Default: disabled. With this key enabled, system adds Power Constrain to beacons and probe responses according to IEEE 802.11h.
wireless.<index>.chanswitch – specify the channel switch status [enabled/disabled]. Default: disabled. With this key enabled, system adds Channel Switch notification to beacons according to IEEE 802.11h.
wireless. <index>.fastframes – specify the fast frame status [enabled/disabled]. Default: disabled. Frame aggregation to super frame up to 3000B, thus maximizing efficiency via less overhead. Requires AP that supports fast frame functionality.
wireless. <index>.frameburst – specify the frame burst status [enabled/disabled] . Default: disabled. This technique allows transmitting more then one data frame during each transmission opportunity before station defers access to medium. Available for any capable station.
wireless.<index>.compression – specify packet compression status [enabled, disabled]. Default: disabled. real-time hardware Lempel Ziv data compression, that increases data throughput using precompressed frames. Requires an AP that supports compression.
wireless. <index>.wmm – specify the WMM status [enabled/disabled]. Default: disabled. Wi-Fi Multimedia (WMM) is based on the IEEE 802.11e draft standard. It provides basic quality of service (QoS) features to IEEE 802.11 networks. WMM prioritizes traffic according to 4 AC (Access Categories) - voice, video, best effort, and background.
| | WMM does not provide guaranteed throughput. It is suitable for simple applications that require QoS, such as Wi-Fi Voice over IP (VoIP) phone. |
The keys of the QoS based on the DiffServ architecture:
wireless.<index>.tos2ac.<index>.status – specify the status of QoS [enabled/disabled]. Default: enabled. Enables packet classification on TOS value in IP header and dispatching to according radio queues. AC values 1..4 corresponds BK, BE, VO, VI queues. 2 LS bits in TOS not used and are masked out. Mapping record with tos=0 will be used as default rule for packets not matching any other configured mapping.
wireless.<index>.tos2ac.<index>.tos – specify the IP header TOS value, HEX format can be used, internally this value is masked with 0xfc, thus last 2 bits not used [HEX format].
wireless.<index>.tos2ac.<index>.ac – specify the queue in radio HW to select [1-4]. The queue value 4 means the highest priority.
wireless.<index>.tos2ac.<index>.drop – specify drop probability [0-2]. The value 2 means highest drop probability when queue getting full.
wireless. <index>.ap – specify the MAC address of the device to which the particular device will connect to [MAC address].
wireless.<index>.igmp_snooping – specify the IGMP snooping status [enabled/disabled]. Default: disabled. When enabled, AP will passively snoop on IGMP Report and Leave packets transferred between it's clients and IP Multicast hosts. It checks IGMP packets passing through it, picks out the group registration information and generates internal L2 MAC forwarding table. Then it forwards multicast traffic using unicast packets directed according to forwarding table.
Example:
wireless.status = enabled wireless.1.status = enabled wireless.1.devname = ath0 wireless.1.ssid = my ssid wireless.1.max_clients = 100 wireless.1.security = wep64 wireless.1.security.1.key = 00:AC:01:25:F2 wireless.1.security.2.key = 00:AC:01:35:F3 wireless.1.security.3.key = 00:AC:01:55:F5 wireless.1.security.default_key = 2
AutoLock WLAN
| | The AutoLock WLAN keys of the configuration file in this manual are provided for WILI-S 5.00 firmware version and later therefore they may differ from the keys of 3.54 firmware and former versions. |
The WILI-S based device has possibility to lock the WLAN. This feature checks (using ICMP echo request, like ping utility) if specific hosts are accessible on the network. When network goes down - wireless service will be disabled. When network is up again - wireless service will be re-enabled. In the firmware version 4.00 and later the additional keys were implemented.
All available keys of the AutoLock WLAN feature are listed below:
autolock.status – specify the autolock feature status [enabled/disabled]. Default: disabled.
autolock.interval – specify the monitoring time period in seconds [number]. Default: 300 (5 min.).
autolock.retry_count – specify the number of failed reach ability checks, after which the wireless service will be disabled [0-3]. Default: 3.
autolock.verbose – specify verbose status [enabled/disabled].
autolock.<index>.status – specify current server entry status [enabled/disabled]. Default: enabled.
autolock.<index>.server – specify the IP address to be checked.
autolock.lock.action – specify the action on the lock event [none/down/up/kick/reboot]. Default: down.
- none – no action will be applied on the interface
- down – bring the interface down
- up – bring the interface up
- kick – kick all wireless clients
- reboot – reboot the device
autolock.unlock.action – specify the action when connection to the network re-established [none|down|up|kick|reboot]. Default: reboot.
- none – no action will be applied on the interface
- down – bring the interface down
- up – bring the interface up
- kick – kick all wireless clients
- reboot – reboot the device
autolock.control.<index>.status – specify the status of the wireless interface control [enabled/disabled]. Default: enabled.
autolock.control.<index>.devname – specify the name of interface for control. If the interface is not specified, all wireless interfaces will be used from the file /proc/net/wireless.
| | AutoLock has no influence on routes. As soon as interfaces are brought down the routes will be deleted. |
Example:
autolock.status = enabled autolock.interval = 600 autolock.retry_count = 3 autolock.1.status = enabled autolock.1.server = 213.29.25.154 autolock.2.status = enabled autolock.2.server = 213.29.25.33 autolock.3.status = disabled autolock.3.server = 212.22.99.66 autolock.4.status = enabled autolock.4.server = 212.25.19.6 autolock.lock.action = down autolock.unlock.action = reboot autolock.control.1.status = enabled autolock.control.1.devname = ath0 autolock.control.2.status = enabled autolock.control.2.devname = ath1
In this configuration 3 servers are pinged at every 10 minutes (600s). One server checking is disabled. When at least one server does not respond 3 times - wireless interfaces ath0 and ath1 are brought down and wireless service will be disabled. When service becomes available again - the device will be rebooted.
VSSID
| | The master SSID should be preconfigured before adding VSSID. |
The SSID defines a logical wireless network, and the WILI-S can be configured to provide another 15 wireless networks in addition to that defined by the primary SSID. Each additional SSID may be configured for different security settings (SSID, encryption, SSID broadcasting, layer 2 isolation, client limitation per SSID). All the SSIDs may be active at the same time meaning that client devices can associate to the access point using any of the SSIDs. In order to add/delete VSSID, wireless card must be in master mode and VSSID interfaces must be created before configuring them.
vssid.status – specify the VSSID feature status [enabled/disabled].
vssid.<index>.status – specify current VSSID entry status [enabled/disabled].
vssid.<index>.parent – specify the master interface on which the VSSID will be created. The value for this key should be “ath0”.
vssid.<index>.devname – specify the VSSID interface name [custom string up to 15 characters in length]. If not specified, default interface name will be ath0_<index>.
vssid.<index>.mode – specify the VSSID wireless mode [managed/master]. If this key is not specified, the VSSID will inherit the mode of the parent SSID. If you are planning to use vssids with different modes (STA and AP) on the same physical radio, first interface must be configured in AP mode.
| | The key vssid.<index>.mode affects the wireless throughput therefore this key must be used only if you are aware of the key use. |
Example:
# create 2 new virtual wireless devices vssid.status = enabled vssid.1.status = enabled vssid.1.parent = ath0 vssid.1.devname = ath0.v1 vssid.2.status = enabled vssid.2.parent = ath0 vssid.2.devname = ath0.v2
WDS
| | The WDS keys of the configuration file in this manual are provided for WILI-S 4.00 and later firmware version therefore they may differ from the keys of 3.54 firmware and former versions. |
A WDS (Wireless Distribution System) allow you to create a wireless network infrastructure. Normally the access points must be connected to a wired network (LAN), which is generally an Ethernet. Once connected, these access points create wireless cells allowing wireless connection to the wired network. The WDS feature allows the access points to be wireless connected to another access point, eliminating the need for a wired connection between them.
Use the following tips when configuring WDS:
- WDS mode can be enabled on each wireless interface (including virtual interface: VSSID)
- In order for WDS peers to communicate, all the WDS network peers must operate on the same channel (frequency) and have the same security settings
- Both sides have to be connected (AP-STA infrastructure) prior to turning WDS mode on
- If you need only to bridge two wired networks, use Wireless ACL configuration to prevent undesired association of other clients
| | In case you don’t use a WPA security, create an ACL rules to prevent undesired other clients association to the WDS. |
All available keys of the WDS feature are listed below:
wds.status – specify the WDS feature status [enabled/disabled].
wds.<index>.status – specify the status of the particular WDS link [enabled/disabled].
wds.<index>.parent – specify the interface name on which the WDS will be created [string].
Example:
# Enable WDS mode on ath0 interface wds.status = enabled wds.1.status = enabled wds.1.parent = ath0
Wireless ACL
Use the wireless access control list (ACL) service to control default access to the wireless network interfaces (ath0 and VSSIDs) or to define special access rules for wireless clients.
All available keys of the wireless ACL feature are listed below:
wacl.status – specify the ACL service status [enabled/disabled].
wacl.<index>.status – specify current ACL rule status [enabled/disabled]. Default: enabled.
wacl.<index>.devname – specify the wireless interface name on which the wireless interface rules will be assigned.
wacl.<index>.policy – specify the policy for wacl.<index>.acl.<index>.mac entries [open/allow/deny]. Default: open.
- open – policy means that no ACL will be used and ACL MAC entries will be ignored.
- allow – policy means that all clients are allowed except the ones in a list.
- deny – policy means that all clients are denied, only the ones in a list are allowed.
wacl.<index>.acl.<index>.status – specify current ACL entry status [enabled/disabled]. Default: enabled.
wacl.<index>.acl.<index>.mac – specify the MAC address of the wireless client [colon separated 6 hexadecimal value pairs].
Example:
# allow access to ath0 only from 1 MAC address wacl.status = enabled wacl.1.devname = ath0 wacl.1.policy = deny wacl.1.acl.1.mac = 00:02:6f:22:32:d9
Wireless Client Bridge
The main problem to make wireless client work as bridge is to send all packets coming from the ethernet side as wireless client’s packets: ethernet packet’s source MAC should be changed to wireless device’s MAC as 802.11 standard says that AP will not accept any packet coming not from associated wireless client (packet source MAC is not the Wireless Client MAC).
The configuration of Wireless Client Bridge contains ebtables rules definition for packets (passing through client’s wireless interface) MAC control. Follow the steps configure the wireless client bridge service on the WILI-S based device:
1. Setup wireless device (i.e. VSSID “ms1”) in wireless client mode (refer to the section Wireless Interface for more information). Configuration file example:
vssid.status=enabled vssid.1.status=enabled vssid.1.parent=ath0 vssid.1.devname=ms1 vssid.1.mode=managed wireless.2.status=enabled wireless.2.devname=ms1 wireless.2.ssid=SSID_of_the_AP
2. Setup network devices (i.e. eth0, ath0, ms1 and br0) (refer to the section Interface for more information). Configuration file example:
netconf.4.status=enabled netconf.4.ip=192.168.2.184 netconf.4.netmask=255.255.255.0 netconf.4.up=enabled netconf.4.devname=br0
| | Current STA bridge system implementation requires that bridge interface must have the IP address assigned. |
3. Setup bridge device (refer to the section The Bridge for more information), add wireless interface and ethernet interface(s) to the bridge. The configuration file example:
bridge.status=enabled bridge.1.status=enabled bridge.1.devname=br0 bridge.1.port.1.status=enabled bridge.1.port.1.devname=eth0 bridge.1.port.2.status=enabled bridge.1.port.2.devname=ms1
4. Add client bridging firewall entries:
ebtables.status=enabled ebtables.rule.1.table=nat ebtables.rule.1.chain=PREROUTING ebtables.rule.1.in=ms1 ebtables.rule.1.target=arpnat ebtables.rule.1.t.arpnat_target=ACCEPT ebtables.rule.2.table=nat ebtables.rule.2.chain=POSTROUTING ebtables.rule.2.out=ms1 ebtables.rule.2.target=arpnat ebtables.rule.2.t.arpnat_target=ACCEPT
Station Supervision
The station supervision service complements authentication, authorization and accounting (AAA) service (see section AAA Configuration for details). AAA service notifies station supervision service which client stations should be monitored for availability. If no response is received from station after specified number of retries, user authenticated from that station is logged out. Basically there should always be station supervision service running for every interface the AAA service is running on.
ssd.status – specify the feature status [enabled/disabled]. Default: disabled.
ssd.<index>.status – specify the station supervision entry status [enabled/disabled]. Default: enabled.
ssd.<index>.devname – specify the interface name for supervision.
ssd.<index>.check.interval – specify the interval to check for client availability, in seconds [number]. Default: 20.
ssd.<index>.check.count – specify the number of retries after which a user is logged out from the system [1-99]. Default: 3.
Example:
# check stations on ath0 every minute # after 5 failed retries user will be logged out ssd.1.status=enabled ssd.1.devname=ath0 ssd.1.check.interval=60 ssd.1.check.count=5
Network Access Configuration
This section describes configuration keys for:
- AAA (authentication, authorization, accounting) including NAS, RADIUS servers and proxy configuration, RADIUS domains, UAM, Dynamic WEP
- WPA/802.1x supplicant
- IP and bridging firewall settings
- SMTP redirection
AAA (Authentication Authorization and Accounting)
AAA (Authentication, Authorization and Accounting) service configuration settings are split into three groups.
- Authentication configuration includes authentication backend (RADIUS) server settings and local security profiles (eg. WPA for wireless station handling)
- Authorization configuration includes settings for authenticated users (like default bandwidth, session time limits)
- Accounting configuration includes accounting backend (RADIUS) server and accounting functionality related settings (failovers/backups, transmit/receive information sending)
To configure a fully functioning AAA service you must first create profiles, itemized below:
1. configure RADIUS authentication servers (refer to the respective section RADIUS Authentication Servers)
2. configure RADIUS accounting servers (refer to the respective section RADIUS Accounting Servers )
3. group authentication and accounting servers into RADIUS Domain(s) (refer to the respective section RADIUS Domains (WISPs)),
4. create UAM profile (refer to the respective section Universal Access Method (UAM)),
5. create security profiles: WEP (refer to the respective section Dynamic WEP Security) or WPA (see section WPA/WPA2 Security),
6. create NAS entries for each interface on which Network Access Server (NAS) will be running (refer to the respective section Network Access Server (NAS))
7. group NAS entries into AAA services (see information below)
8. if not yet created, configure wireless interfaces on which NAS will be running (refer to the respective section Wireless Interface):
wireless.1.devname=<aaa.nas.<index>.devname> wireless.1.security=wep64 | wep128 | none wireless.1.security.1.key=xx:xx:xx:xx:xx | xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx wireless.1.security.default_key=1
9. create firewall chains that AAA service depends on (refer to the respective section IP Firewall):
firewall.chain.1.name=acctin firewall.chain.1.table=mangle firewall.chain.1.parent=PREROUTING firewall.chain.2.name=acctout firewall.chain.2.table=mangle firewall.chain.2.parent=POSTROUTING firewall.chain.3.name=fwdusers firewall.chain.3.table=filter firewall.chain.3.parent=FORWARD firewall.filter.FORWARD.policy=DROP
10. setup firewall rules for each AAA interface entry (refer to the respective section IP Firewall):
firewall.rule.1.table=mangle firewall.rule.1.chain=acctin firewall.rule.1.acct.in=<aaa.<index>.devname> firewall.rule.2.table=mangle firewall.rule.2.chain=acctout firewall.rule.2.acct.out=<aaa.<index>.devname> firewall.rule.3.table=filter firewall.rule.3.chain=fwdusers firewall.rule.3.auth.in=<aaa.<index>.devname> firewall.rule.3.target=ACCEPT firewall.rule.4.table=filter firewall.rule.4.chain=fwdusers firewall.rule.4.auth.out=<aaa.<index>.devname> firewall.rule.4.target=ACCEPT firewall.rule.5.status=enabled firewall.rule.5.table=mangle firewall.rule.5.chain=PREROUTING firewall.rule.5.auth=auth firewall.rule.5.auth.in=ath0 firewall.rule.5.target=NAS_MARK
11. if AAA interface is added to the bridge, setup bridging firewall rule (refer to the respective section Bridging Firewall )
ebtables.rule.1.table=broute ebtables.rule.1.chain=BROUTING ebtables.rule.1.in=<aaa.nas.<index>.devname> ebtables.rule.1.protocol=0x888e ebtables.rule.1.target=DROP
aaa.status – specify the AAA service status [enabled/disabled, mandatory]. Default: disabled.
aaa.<index>.status – specify current AAA profile status [enabled/disabled]. Default: enabled.
aaa.<index>.name – specify the AAA profile name [string].
aaa.<index>.devname – specify the interface name to start AAA service on [string].
aaa.<index>.nas.<index>.status – specify the NAS profile entry status [enabled/disabled]. Default: enabled.
aaa.<index>.nas.<index>.profile – specify the NAS profile name [string].
aaa.<index>.wan.<index>.status – specify the WAN interface entry status [enabled/disabled]. Default: enabled. Enable this parameter and specify which interfaces have to be set up for outgoing traffic bandwidth control if you intend to use bandwidth control for users of AAA service,.
aaa.<index>.wan.<index>.devname – specify the WAN interface name for AAA [string].
Example:
aaa.status=enabled aaa.1.status=enabled aaa.1.devname=ath0 aaa.1.name=ath0-UAM-ixp1 aaa.1.nas.1.status=enabled aaa.1.nas.1.profile=ath0-UAM aaa.1.wan.1.status=enabled aaa.1.wan.1.devname=ixp1
Network Access Server (NAS)
All available keys of the NAS configuration are listed below:
aaa.nas.<index>.status – specify the NAS profile status [enabled/disabled]. Default: disabled.
aaa.nas.<index>.verbose – specify verbose logging for the NAS status [enabled/disabled]. This setting may be useful for AAA troubleshooting. Default: disabled.
aaa.nas.<index>.name – specify the NAS profile name [string]. Default is same as aaa.nas.<index>.devname.
aaa.nas.<index>.identifier – specify the NAS identifier [string]. Default: <MAC address>:<SSID>.
aaa.nas.<index>.devname – specify the interface name to start NAS on.
aaa.nas.<index>.maxclients – specify a number of maximum simultaneous clients to be accepted on current NAS [number, limited by HW capabilities]. Default: 64. Value of 0 disables client limit checking - the system will allow as many clients simultaneously as it can handle.
aaa.nas.<index>.auth.status – specify the authentication status on NAS server [enabled/disabled]. Default: disabled.
aaa.nas.<index>.auth.<index>.status – specify current authentication entry status [enabled/disabled].
aaa.nas.<index>.auth.<index>.type – specify current authentication type [ieee802.1x/uam/radius_proxy]. The radius_proxy type instructs the NAS to act as a RADIUS proxy. This requires additional radius proxy settings to be configured (see section RADIUS Proxy Configuration).
aaa.nas.<index>.auth.<index>.profile – specify the profile name [string]. This parameter is required for UAM and optional for others. This should be equal to aaa.uam.<index>.name (see section UAM (Universal Access Method) Configuration).
aaa.nas.<index>.acct.status – specify the accounting status on NAS server [enabled/disabled]. Default: disabled.
aaa.nas.<index>.domain.<index>.status – specify current domain entry status [enabled/disabled].
aaa.nas.<index>.domain.<index>.profile – specify the domain (WISP) name [string]. This should be equal to aaa.domain.<index>.name (see section RADIUS Domains (WISPs)).
aaa.nas.<index>.domain.default – specify the default domain (WISP) index [number]. Default: 1.
aaa.nas.<index>.security.type – specify the security type [none/wep/wpa]. Default: none.
aaa.nas.<index>.security.profile – specify the security profile name [string]. This may be omitted if security type is none. It should be equal to aaa.security.wep.<index>.name or aaa.security.wpa.<index>.name (see sections Dynamic WEP Security and WPA/WPA2 Security)
The following properties are reported in RADIUS request packets. Most of them are used for WISPr compliance.
aaa.nas.<index>.properties.location.isocc – specify the location ID attribute, country code opf the NAS location according ISO standards [2 characters].
aaa.nas.<index>.properties.location.cc – set the location ID attribute, country code according E.164 specification [1-3 digits].
aaa.nas.<index>.properties.location.ac – s set the location ID attribute, area code according E.164 specification of the NAS location [up to 8 digits].
aaa.nas.<index>.properties.location.network – specify the name of the location network zone [1-64 characters]. This may be equal to the SSID for wireless networks and domains for wired networks.
aaa.nas.<index>.properties.operator – specify the name of the operator owning this NAS zone [1-64 characters].
aaa.nas.<index>.properties.location – specify the detailed description of the location [1-128 characters].
aaa.nas.<index>.dynvlan.status – specify status of the dynamic service on the system [enabled/disabled]. Default: disabled
aaa.nas.<index>.dynvlan.default – specify the name of default VLAN interface [string]. If dynamic VLAN functionality is enabled on device, during authentication RADIUS server should respond with VLAN tag id. After successful authentication all client traffic will be tagged to specified VLAN. In case RADIUS server doesn't respond with VLAN id, the preconfigured VLAN will be used by default.
Example:
aaa.nas.<index>.dynvlan.status=enabled aaa.nas.1.dynvlan.default=ixp0.3000
Clients that are authenticated, but RADIUS server doesn't specify VLAN id , VLAN 3000 will be used on ixp0 interface.
RADIUS Authentication Servers
For the RADIUS authentication server configuration use following keys listed below:
aaa.auth.<index>.status – specify the RADIUS authentication server profile status [enabled/disabled]. Default: enabled.
aaa.auth.<index>.name – specify the RADIUS authentication server profile name [string, mandatory].
aaa.auth.<index>.host – specify the RADIUS authentication server host name or IP address [hostname string or IP address, mandatory].
aaa.auth.<index>.port – specify the network port used to communicate with the RADIUS authentication server [0-65535]. Default is 1812.
| | The default port value of 1812 is set according to RFC2138 "Remote Authentication Dial-in User Service (RADIUS)". |
aaa.auth.<index>.timeout – specify the authentication request timeout in seconds [1-999]. Default: 2. If RADIUS response is not received during timeout period, request is retransmitted.
aaa.auth.<index>.retry – specify the number of times authentication request is retransmitted [0-99]. Default: 2. When all retry attempts are exhausted, authentication with this server is treated as failed.
aaa.auth.<index>.secret – specify the shared secret of the authentication server [string, mandatory]. The shared secret is used to encrypt data packets transmitted between RADIUS server and client.
| | Shared secrets must be the same on the RADIUS servers and the RADIUS client. |
aaa.auth.<index>.stripdomain – specify the strip domain function status [enabled/disabled]. Default: disabled. Enabling this option removes the WISP domain prefix from the username before sending it to the RADIUS server (see section RADIUS Domain (WISP) for details). Default action is to send the username as is.
| | Some RADIUS servers can be configured to require the full-unmodified user name to be sent. |
aaa.auth.<index>.authtype – specify the UAM authentication type [PAP/CHAP/MSCHAP/MSCHAPV2]. Default: PAP.
- PAP – Password Authentication Protocol
- CHAP – Challenge Handshake Authentication Protocol
- MSCHAP – Microsoft Challenge Handshake Authentication Protocol version 1
- MSCHAPV2 – Microsoft Challenge Handshake Authentication Protocol version 2
Example:
aaa.auth.1.status=enabled aaa.auth.1.host=192.168.2.182 aaa.auth.1.name=AUTH aaa.auth.1.port=1812 aaa.auth.1.retry=5 aaa.auth.1.secret=password aaa.auth.1.stripdomain=disabled aaa.auth.1.timeout=15 aaa.auth.1.authtype=PAP
RADIUS Accounting Servers
All available keys of the RADIUS accounting server are listed below:
aaa.acct.<index>.status – specify the RADIUS accounting server profile status [enabled/disabled]. Default: enabled.
aaa.acct.<index>.name – specify the RADIUS accounting server profile name [string, mandatory].
aaa.acct.<index>.host – specify the RADIUS accounting server host name or IP address [string or IP address, mandatory].
aaa.acct.<index>.port – specify the network port used to communicate with the RADIUS accounting server [0-65535]. Default is 1813.
Some RADIUS servers can be configured to require the full-unmodified user name to be sent.
| | The default port value of 1813 is set according to RFC2866 "RADIUS Accounting". |
aaa.acct.<index>.timeout – specify the accounting request timeout in seconds [1-999]. Default: 2. If RADIUS response is not received during timeout period, request is retransmitted.
aaa.acct.<index>.retry – specify the number of times accounting request is retransmitted [0-99]. Default: 2.
aaa.acct.<index>.secret – specify the shared secret of the accounting server [string, mandatory]. The shared secret is used to encrypt data packets transmitted between RADIUS server and client.
aaa.acct.<index>.stripdomain – specify the strip domain function status [enabled/disabled]. Default: disabled. Enabling this option removes the WISP domain prefix from the username before sending it to the RADIUS server (see section RADIUS Domain (WISP) for details). Default action is to send the username as is.
| | Some RADIUS servers can be configured to require the full-unmodified user name to be sent. |
Example:
aaa.acct.1.secret=password aaa.acct.1.status=enabled aaa.acct.1.host=192.168.2.182 aaa.acct.1.name=ACCT aaa.acct.1.port=1813 aaa.acct.1.stripdomain=disabled
RADIUS Domains (WISPs)
The domain name is a string, uniquely identifying the Wireless Internet Service Provider (WISP). Access Controller can be shared between different WISPs. In this case domain name can be appended to username to specify which WISP user is trying to authenticate to:
- username@WISPdomain,
- WISPdomain/username.
All available keys are listed below:
aaa.domain.<index>.status – specify the domain profile status [enabled/disabled]. Default: enabled.
aaa.domain.<index>.name – specify the domain (WISP) profile name [string].
aaa.domain.<index>.domain – specify the domain (WISP) name [string].
aaa.domain.<index>.auth.<index>.status – specify current authentication entry status [enabled/disabled]. Default: enabled.
aaa.domain.<index>.auth.<index>.profile – specify the authentication server profile for this domain [string]. This should be equal to aaa.auth.<index>.name (see section RADIUS Authentication Servers).
aaa.domain.<index>.acct.<index>.status – specify current accounting entry status [enabled/disabled]. Default: enabled.
aaa.domain.<index>.acct.<index>.profile – specify the accounting server profile for this domain [string]. This should be equal to aaa.acct.<index>.name (see section RADIUS Accounting Servers).
aaa.domain.<index>.acct.mode – specify the accounting mode [failover/backup]. Default: failover. This setting works when multiple accounting servers are specified. In backup mode the accounting information will be send to all servers at once, without waiting for accounting responses (assuming that accounting requests will be received by at least one server). In failover mode the accounting information will be sent to another RADIUS server only if the primary RADIUS server does not respond.
aaa.domain.<index>.default.sessiontimeout – specify the default user session timeout in seconds on particular domain [1-2147483647]. Default is 18000 (5 hours).
aaa.domain.<index>.default.idletimeout – specify the default user idle timeout in seconds on particular domain [1-999999999]. Default is 300 (5 minutes).
aaa.domain.<index>.default.maxrxbandwidth – specify the default maximum reception bandwidth in bps for a user on a particular domain [0-2147483647]. The default value is 0 and means unlimited bandwidth.
aaa.domain.<index>.default.maxtxbandwidth – specify the default maximum transmission bandwidth in bps for a user on a particular domain [integer]. The default value is 0 and means unlimited bandwidth.
aaa.domain.<index>.default.minrxbandwidth – specify the default minimum reception bandwidth in bps for a user on a particular domain [integer]. The default value is 0.
aaa.domain.<index>.default.mintxbandwidth – specify the default minimum transmission bandwidth in bps for a user on a particular domain [integer]. The default value is 0.
aaa.domain.<index>.default.interim_update – specify default accounting interim update interval, in seconds [integer]. Default: 300. value 0 means disabled, minimum 60 seconds interval. By standard RADIUS server must be configured to send desired interim update interval in Acct-Interim-Interval request attribute. This value can only appear in the Access-Accept message. If such attribute is present, it overrides configured value. If attribute Acct-Interim-Interval was missing on Access-Accept, default value will be used.
Example:
aaa.domain.1.status=enabled aaa.domain.1.name=AAA aaa.domain.1.acct.1.status=enabled aaa.domain.1.acct.1.profile=ACCT aaa.domain.1.acct.mode=failover aaa.domain.1.auth.1.status=enabled aaa.domain.1.auth.1.profile=AUTH aaa.domain.1.default.idletimeout=300 aaa.domain.1.default.sessiontimeout=30000 aaa.domain.1.default.maxrxbandwidth=250000 aaa.domain.1.default.maxtxbandwidth=500000 aaa.domain.1.default.minrxbandwidth=0 aaa.domain.1.default.mintxbandwidth=0 aaa.domain.1.default.interim_update=240
Universal Access Method (UAM)
The WILI-S allows user authentication through external or internal Web portal. This authentication method is called UAM. User provides login credentials and then Web portal attempts to authenticate and authorize the client using the provided information. Client will not send any authentication requests directly to the device, Web portal will do this. On success, WILI device will allow access to the Internet, otherwise Web portal will display failure notice.
All available keys of the UAM feature are listed below:
aaa.uam.<index>.status – specify the UAM profile status [enabled/disabled]. Default: enabled.
aaa.uam.<index>.name – specify the UAM authentication profile name [string, mandatory].
aaa.uam.<index>.redirecturl – specify the main Web portal page URL [URL string]. This URL can contain the UAM placeholders (see section UAM Placeholders for details).
aaa.uam.<index>.loginurl – specify the login page URL [URL string]. This URL can contain the UAM placeholders (see section UAM Placeholders for details).
aaa.uam.<index>.statusurl – specify the status page URL [URL string]. This URL can contain the UAM placeholders (see section UAM Placeholders for details).
aaa.uam.<index>.logoffurl – specify the logoff page URL [URL string]. This URL can contain the UAM placeholders (see section UAM Placeholders for details).
iPass is a global roaming service that forms relationships with Internet Service Providers around the world and provides access in far reaching locations.
aaa.uam.<index>.ipass.status – specify the iPass configuration entry status [enabled/disabled]. Default: disabled.
aaa.uam.<index>.ipass.loginurl – specify the login page URL for iPass service clients [URL string]. This URL can contain the UAM placeholders (see section UAM Placeholders for details).
aaa.uam.<index>.ipass.aborturl – specify the abort page URL for iPass service clients [URL string]. This URL can contain the UAM placeholders (see section UAM Placeholders for details).
aaa.uam.<index>.mac_auth.status – specify status of the MAC authentication [enabled/disabled]. Default: disabled.
aaa.uam.<index>.mac_auth.user_format – specify format, which will be used to construct username in RADIUS request. Format is simple text, where %1, %2, …, %6 are replaced with first, second, …, sixth octet of the client's MAC address. For example, if MAC address is 00:18:DE:AD:CD:7E, and format %1-%2-%3-%4-%5-%6, then constructed username will be 00-18-DE-AD-CD-7E. Default format (username format not specified) is: %1:%2:%3:%4:%5:%6.
Example:
aaa.uam.1.mac_auth.user_format=%1-%2-%3-%4-%5-%6 aaa.uam.2.mac_auth.user_format=OurUser-%4:%5:%6
aaa.uam.<index>.mac_auth.passwd_format – specify format, which will be used to construct password in RADIUS request. Format is the same as in username aaa.uam.<index>.mac_auth.user_format format.
Example:
aaa.uam.1.mac_auth.passwd_format=%1:%2:%3:%4:%5:%6 aaa.uam.2.mac_auth.passwd_format=Mutabor-%4-%5-%6
aaa.uam.<index>.force_reauth – specify status of the force reauthentication [enabled/disabled]. Default: disabled. This key controls whether to request client authentication if client re associates with AP. For example Atheros driver is known to perform background scans during which client is not listening for AP beacons & etc while temporarily changes channels and etc. When scan is finished client station issues re-association request. If enabled (paranoid mode) authentication will be requested. So unless client reauthenticates successfully he/she will have no access to internet. If disabled, reauthentication is not requested client is assumed to be connected and able to use services. Default: disabled.
| | Enabled Force Reauthentication opens doors for session hijacking assuming rouge STA has the same MAC and IP address at least. So if one client has left (ejected PCMCIA card or hit switch on computer that immediately turns off radio without giving it a chance to send disconnect to AP) such rouge station will be accepted and service provided. It is up to administrator to make decision. |
aaa.uam.<index>.mac_auth.placeholder_case – specify character case, which will bet used when replacing placeholder (for example, %1) with actual value [upper/lower]. Default: lower.
Example 1:
#formatted username / password will be in upper case (eg. 00:18:DE:AD:CD:7E) aaa.uam.1.mac_auth.placeholder_case=upper #formatted username / password will be in lower case (eg. 00:18:de:ad:cd:7e) aaa.uam.2.mac_auth.placeholder_case=lower
Example 2:
aaa.uam.1.status=enabled aaa.uam.1.name=LOCAL_PAGES aaa.uam.1.ipass.status=disabled aaa.uam.1.loginurl=https://%nasip/uam/login.cgi aaa.uam.1.logoffurl=https://%nasip/uam/logout.cgi aaa.uam.1.statusurl=https://%nasip/uam/status.cgi
Dynamic WEP Security Profile
This section describes configuration of dynamic WEP security for usage with AAA service. WEP is a data privacy mechanism based on a 64-bit or 128-bit shared key algorithm as described in the IEEE 802.11 standard.
All available keys of the Dynamic WEP configuration are listed below:
aaa.security.wep.<index>.status – specify current profile status [enabled/disabled].
aaa.security.wep.<index>.name – specify current WEP security profile name [string, mandatory].
aaa.security.wep.<index>.keylen.unicast – specify the length of individual/unicast key [0/5/13]. Default: 0.
- 0 – none,
- 5 – 40-bit WEP (also known as 64-bit WEP with 40 secret bits),
- 13 – 104-bit WEP (also known as 128-bit WEP with 104 secret bits).
aaa.security.wep.<index>.keylen.broadcast – specify the length of default/broadcast key [0/5/13]. Default value is equal to aaa.security.wep.<index>.keylen.unicast value.
- 0 – none,
- 5 – 40-bit WEP (also known as 64-bit WEP with 40 secret bits),
- 13 – 104-bit WEP (also known as 128-bit WEP with 104 secret bits).
aaa.security.wep.<index>.rekey.period – specify the rekeying period in seconds [0-3600]. Default value is 0 and means that rekeying is not used.
WPA/WPA2 Security Profile
Wi-Fi Protected Access (WPA) provides a higher level of protection for wireless LAN client stations as it includes methods for mutual authentication, strong encryption, and data integrity. WPA takes the original master key only as a starting point and derives its encryption keys dynamically from this master key. WPA regularly changes and rotates the encryption keys so that the same encryption key is never used twice. Key exchange is done automatically transparent to the user.
The WPA2 is the second generation of WPA security; providing enterprise and consumer Wi-Fi users with a high level of assurance that only authorized users can access their wireless networks. WPA2 is based on the final IEEE 802.11i amendment to the 802.11 standard.
All available keys of the WPA/WPA2 profile are listed below:
aaa.security.wpa.<index>.status – specify the WPA/WPA2 security profile status [enabled/disabled]. Default: enabled.
aaa.security.wpa.<index>.name – specify the WPA/WPA2 security profile name [string].
aaa.security.wpa.<index>.mode – specify the security mode [WPA/WPA2/ALL].
aaa.security.wpa.<index>.psk – specify the WPA pre-shared keys for WPA-PSK [64 hexadecimal values]. This value can be overrided by specifying aaa.security.wpa.<index>.passphrase described below.
aaa.security.wpa.<index>.passphrase – specify the WPA passphrase [8-63 characters]. The passphrase will be converted to pre-shared key format. This conversion uses SSID, so the key changes when ASCII passphrase is used and the SSID is changed. Provided passphrase overrides value of the aaa.security.wpa.<index>.psk.
aaa.security.wpa.<index>.key.method – specify the WPA key selection method [PSK/EAP/ALL]. PSK requires for keys aaa.security.wpa.<index>.psk or aaa.security.wpa.<index>.passphrase to be specified. When EAP is selected, NAS instance, which uses this profile, must support IEEE 8021.x authentication method.
aaa.security.wpa.<index>.key.cipher – specify the encryption algorithms for pairwise keys (unicast packets) [TKIP/CCMP/ALL].
- TKIP - Temporal Key Integrity Protocol [IEEE 802.11i/D7.0],
- CCMP - AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0],
- ALL - includes CCMP and TKIP.
Group cipher suite (encryption algorithm for broadcast and multicast frames) is automatically selected based on this configuration. If only CCMP is allowed as the pairwise cipher, group cipher will also be CCMP. Otherwise, TKIP will be used as the group cipher.
aaa.security.wpa.<index>.rekey.group.period – specify the time interval for rekeying Group Temporal Key (GTK, used to decrypt broadcast/multicast traffic) in seconds [0-3600]. The default value is 0 and means no rekeying.
aaa.security.wpa.<index>.rekey.gmk.period – specify the time interval for rekeying Group Master Key (GMK used internally to generate GTKs), in seconds. The default value is 0 and means no rekeying.
IEEE 802.11i/RSN/WPA2 pre-authentication feature is used to speed up roaming by pre-authenticating IEEE 802.1X/EAP part of the full RSN authentication and key handshake before actually associating with a new AP.
aaa.security.wpa.<index>.rsn.preauth.status – specify the IEEE 802.11i/RSN/WPA2 pre-authentication status [enabled/disabled]. Default: enabled.
aaa.security.wpa.<index>.rsn.preauth.<index>.status – specify the pre-authentication interface list status [enabled/disabled]. Default: enabled.
aaa.security.wpa.<index>.rsn.preauth.<index>.devname – specify the list of interfaces from which pre-authentication frames are accepted [interface name list, eg., 'ixp0' or 'ixp0.1 ixp0.2']. This list should include all interfaces that are used for connections to other APs. The normal wireless data interface towards associated stations (ath0) should not be added, since pre-authentication is only used with APs other than currently associated one.
Example:
aaa.security.wpa.1.status=enabled aaa.security.wpa.1.name=WPASEC aaa.security.wpa.1.mode=WPA aaa.security.wpa.1.key.method=PSK aaa.security.wpa.1.key.cipher=ALL aaa.security.wpa.1.passphrase=the_secret_phrase aaa.security.wpa.1.rekey.group.period=0 aaa.security.wpa.1.rekey.gmk.period=0
RADIUS Proxy
The WILI-S can forward RADIUS authentication and accounting packets between attached access points and RADIUS server reachable through the WAN interface.
The requirements for RADIUS proxy feature to work correctly are:
1. The AP should be operating in bridge mode and be connected to Access Controller’s LAN port.
2. The WILI-S should have these RADIUS proxy parameters configured:
- RADIUS authentication port (UDP)
- RADIUS accounting port (UDP)
- accounting detection timeout.
3. AP should have NAS configured specifically for RADIUS proxy feature (see section NAS (Network Access Server))
4. The AP, which will use RADIUS proxy feature, should send RADIUS authentication and accounting packets to the preconfigured proxy ports on WILI-S LAN IP address.
5. The WILI-S will forward RADIUS authentication and accounting packets according to RADIUS domain server settings in the WILI-S configuration without any modification (as is).
6. The RADIUS secret on AP should be the same as real RADIUS server secret to which the packets will be forwarded.
7. The WILI-S RADIUS proxy authentication port will accept only RADIUS authentication packets and the RADIUS proxy accounting port will accept only RADIUS accounting packets.
8. The RADIUS proxy will ignore RADIUS Access-Request packets without the Calling-Station-Id containing valid MAC address.
9. The RADIUS proxy will use retransmission policies as configured per NAS radius domains and will ignore retransmissions from AP when internal retransmission will be in progress.
10. The RADIUS proxy can do accounting detection. This will be done by looking for Accounting-Start packets for client who previously got Access-Accept. Lookup is done by Calling-Station-Id MAC address value and Acct-Session-Id if it was available in the last Access-Request packet for that client.
11. The RADIUS proxy will not start internal RADIUS accounting if there will be no RADIUS accounting information detected within specified accounting detection timeout period or accounting detection is turned off.
12. The RADIUS proxy will leave Acct-Session-Id unchanged (which is generated internally by NAS), unless Acct-Session-Id attribute will be available in the last RADIUS Access-Request packet from AP.
13. The RADIUS proxy will logout client on Acct-Stop, if no accounting information is detected for that client.
All available keys of the RADIUS Proxy feature are listed below:
aaa.radiusproxy.<index>.status – specify the RADIUS proxy status [enabled/disabled].
aaa.radiusproxy.<index>.name – specify the RADIUS proxy profile name [string]. This should be equal to aaa.nas.<index>.auth.<index>.profile (see section NAS (Network Access Server) Configuration).
aaa.radiusproxy.<index>.auth.port – specify the UDP port for the WILI-S to listen on for RADIUS authentication packets. The WILI-S RADIUS proxy authentication port will accept only RADIUS authentication packets [0-65535]. Default: 1812.
aaa.radiusproxy.<index>.acct.port – specify the UDP port for the WILI-S to listen on for RADIUS accounting packets. The WILI-S RADIUS proxy accounting port will accept only RADIUS accounting packets [0-65535]. Default: 1813.
aaa.radiusproxy.<index>.acct.timeout – specify the RADIUS proxy accounting detection timeout in seconds [0-999999]. Default: 30. The WILI-S will wait the specified period of time for a RADIUS accounting start packet from the AP following a successful authentication. If no RADIUS accounting start packet is received within this time interval, the WILI-S will send one for the user on the AP’s behalf. WILI-S will continue to maintain accounting data for the duration of the user’s session. To disable accounting detection and internal accounting, set this value to 0.
Example:
aaa.nas.1.auth.1.type=radius_proxy aaa.nas.1.auth.1.profile=rp_ixp0 aaa.radius.proxy.1.name=rp_ixp0 aaa.radius.proxy.1.auth.port=1812 aaa.radius.proxy.1.acct.port=1813 aaa.radius.proxy.1.acct.timeout=30
WPA/802.1x Supplicant
IEEE 802.1x is the standard defining port-based authentication and infrastructure for doing key management. Extensible Authentication Protocol (EAP) messages are sent over an 802.11 wireless network using a EAPOL protocol. IEEE 802.1x provides dynamically-generated keys that are periodically refreshed.
EAP/802.1x authentication and dynamic key management enables stronger data encryption. Once an EAP/802.1x association is made between the client - WPA-compliant WILI-S supplicant and the authentication server, WPA key management can be negotiated.
The WILI-S based device can be configured to act as a supplicant - client to 802.1x protocol authenticator. It supports multiple EAP (Extensible Authentication Protocol) based authentication types such as: EAP-TLS, EAP-TTLS, EAP-MD5. Client transfers all authorization and accounting information to a RADIUS server.
| | The RADIUS server must be installed and properly configured to accept requests from the WILI-S RADIUS client. |
These keys are shared by all network blocks.
wpasupplicant.status – specify the WPA Supplicant status [enabled/disabled]. Default: disabled.
wpasupplicant.wait_for_interface – specify to wait for all configured interfaces to become available [enabled/disabled]. Default: disabled.
wpasupplicant.verbose – specify the logging verbosity level [0-4]. Default: 2. Verbosity levels are:
- 0 – quiet,
- 1 – somewhat quiet,
- 2 – normal,
- 3 – somewhat verbose,
- 4 – verbose.
wpasupplicant.keys – specify to include the secret keys, passwords, etc. into verbose output [enabled/disabled]. Default: disabled.
wpasupplicant.timestamp – specify to include the timestamp into verbose output [enabled/disabled]. Default: disabled.
wpasupplicant.device.<index>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.device.<index>.devname – specify the name of the WILI-S network interface, on which WPA/802.1x supplicant will be started.
wpasupplicant.device.<index>.driver – specify the name of network interface driver to be used [string]. Available driver names: hostap, prism54, madwifi, atmel, wext, ndiswrapper, broadcom, ipw2100, bsd, ndis. If not specified, first in the list of compiled in drivers will be used by default.
wpasupplicant.device.<index>.profile – specify the profile name to use for the WILI-S network interface [string]. This should be equal to wpasupplicant.profile.<index>.name described in next section 802.1x Supplicant Profile.
802.1x Supplicant
In addition to enterprise level security (WPA-802.1x), WILI-S supplicant supports the Pre-Shared Key WPA version (WPA-PSK) also, intended for use in SOHO or home wireless networks.
All available keys of the profile of the 802.1x Supplicant are listed below:
wpasupplicant.profile.<index>.status – specify current profile entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.name – specify the configuration profile name [string].
wpasupplicant.profile.<index>.eapol_version – specify the IEEE 802.1X/EAPOL version [1/2]. The supplicant implementation is based on IEEE 802-1X-REV-d8 which defines EAPOL version 2. However, there are many APs that do not handle the new version number correctly (they seem to drop the frames completely). In order to allow supplicant to interoperate with these APs, the version number is set to 1 by default. This configuration value can be used to set it to the new version (2).
wpasupplicant.profile.<index>.ap_scan – specify the AP scanning/selection [enabled/disabled]. Default: enabled. By default supplicant requests driver to perform AP scanning and then uses the scan results to select a suitable AP. Another alternative is to allow the driver to take care of AP scanning and selection and use supplicant just to process EAPOL frames based on IEEE 802.11 association information from the driver.
- enabled (default) - supplicant initiates scanning and AP selection;
- disabled - driver takes care of scanning, AP selection, and IEEE 802.11 association parameters (eg., WPA IE generation); this mode can also be used with non-WPA drivers when using IEEE 802.1X mode.
wpasupplicant.profile.<index>.fast_reauth – specify the EAP fast re-authentication [enabled/disabled]. By default fast re-authentication is enabled for all EAP methods that support it. This variable can be used to disable fast re-authentication. Normally, there is no need to disable this.
wpasupplicant.profile.<index>.blacklist_age – specify timeout in seconds for blacklist entries [integer]. Default 3600s. Entries will be deleted from blacklist after this timeout.
wpasupplicant.profile.<index>.network.<index>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.ssid – specify the SSID in ASCII format [string].
wpasupplicant.profile.<index>.network.<index>.ssid.hex – specify the SSID in a hexadecimal format.
| | Either wpasupplicant.profile.<index>.network.<index>.ssid or wpasupplicant.profile.<index>.network.<index>.ssid.hex is mandatory. If both are specified - wpasupplicant.profile.<index>.network.<index>.ssid.hex is used and other one is ignored.. |
wpasupplicant.profile.<index>.network.<index>.scan_ssid – specify to scan the SSID with specific Probe Request frames [enabled/disabled]. Default: disabled. Value:
- disabled – do not scan this SSID with specific Probe Request frames.
- enabled – scan with SSID-specific Probe Request frames (this can be used to find APs that do not accept broadcast SSID or use multiple SSIDs. This will slow down scanning, so enable this only when needed).
wpasupplicant.profile.<index>.network.<index>.bssid – specify the BSSID [MAC address]. If BSSID is set, this network block is used only when associating to the AP with configured BSSID.
wpasupplicant.profile.<index>.network.<index>.priority – specify the priority [0-65535]. Default: 0.
By default, all networks will get the same priority group (0). If some of the networks are more desirable, this field can be used to change the order in which supplicant goes through the networks when selecting a BSS. The priority groups will be iterated in decreasing priority (i.e., the larger the priority value, the sooner the network is matched against the scan results). Within each priority group, networks will be selected based on security policy, signal strength, etc. Note that AP scanning with wpasupplicant.profile.<index>.network.<index>.scan_ssid =1 is not using this priority to select the order for scanning. Instead, it uses the order the networks are in the configuration file.
wpasupplicant.profile.<index>.network.<index>.proto.<1/2>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.proto.<1/2>.name – specify the accepted protocols [WPA/RSN]. If this key is not specified both WPA and RSN (WPA2) are accepted.
- WPA - WPA/IEEE 802.11i/D3.0
- RSN - WPA2/IEEE 802.11i (also WPA2 can be used as an alias for RSN)
wpasupplicant.profile.<index>.network.<index>.key_mgmt.<1-4>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.key_mgmt.<1-4>.name – specify accepted authenticated key management protocols [WPA-PSK/WPA-EAP/IEEE8021X/NONE]. If this key is not specified both WPA-PSK and WPA-EAP are accepted.
- WPA-PSK – WPA pre-shared key (this requires wpasupplicant.profile.<index>.network.<index>.psk field)
- WPA-EAP – WPA using EAP authentication
- IEEE8021X – IEEE 802.1X using EAP authentication and (optionally) dynamically generated WEP keys
- NONE – WPA is not used; plaintext or static WEP could be used
wpasupplicant.profile.<index>.network.<index>.auth_alg.<1-3>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.auth_alg.<1-3>.name – specify allowed IEEE 802.11 authentication algorithms [OPEN/SHARED/LEAP]. If not specified, automatic selection is used (Open System with LEAP enabled if LEAP is allowed as one of the EAP methods).
- OPEN – Open System authentication (required for WPA/WPA2)
- SHARED – Shared Key authentication (requires static WEP keys)
- LEAP – LEAP/Network EAP (only used with LEAP)
wpasupplicant.profile.<index>.network.<index>.pairwise.<1-3>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.pairwise.<1-3>.name – specify accepted pairwise (unicast) ciphers for WPA [CCMP/TKIP/NONE]. If not specified, both CCMP and TKIP are accepted.
- CCMP – AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
- TKIP – Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
- NONE – Use only Group Keys (deprecated, should not be included if APs support pairwise keys)
wpasupplicant.profile.<index>.network.<index>.group.<1-4>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.group.<1-4>.name – specify accepted group (broadcast/multicast) ciphers for WPA [CCMP/TKIP/WEP104/WEP40]. If not specified CCMP, TKIP, WEP104 and WEP40 are accepted.
- CCMP – AES in Counter mode with CBC-MAC [RFC 3610, IEEE 802.11i/D7.0]
- TKIP – Temporal Key Integrity Protocol [IEEE 802.11i/D7.0]
- WEP104 – WEP (Wired Equivalent Privacy) with 104-bit key
- WEP40 – WEP (Wired Equivalent Privacy) with 40-bit key [IEEE 802.11]
wpasupplicant.profile.<index>.network.<index>.psk – specify the WPA preshared key: 256-bit pre-shared key. The key used in WPA-PSK mode - an ASCII passphrase with double quotation (in which case, the real PSK will be generated using the passphrase and SSID). ASCII passphrase must be between 8 and 63 characters (inclusive). This field is not needed, if WPA-EAP is used.
| | Separate tool, wpa_passphrase, can be used to generate 256-bit keys from ASCII passphrase. This process uses lot of CPU and wpa_supplicant startup and reconfiguration time can be optimized by generating the PSK only only when the passphrase or SSID has actually changed. |
wpasupplicant.profile.<index>.network.<index>.psk.hex – specify the WPA preshared key in hex: 256-bit pre-shared key. 64 hex-digits, i.e., 32 bytes. If specified it will override wpasupplicant.profile.<index>.network.<index>.psk.
wpasupplicant.profile.<index>.network.<index>.eapol_flags – specify which dynamic WEP keys are required for non-WPA mode [0/1/2/3]. Default: 3. Values:
- 0 – require no keys
- 1 – require dynamically generated unicast WEP key
- 2 – require dynamically generated broadcast WEP key
- 3 – require both keys.
Following keys are only used with internal EAP implementation:
wpasupplicant.profile.<index>.network.<index>.eap.<1-12>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.eap.<1-12>.name – specify the EAP methods [MD5/MSCHAPV2/OTP/GTC/TLS/PEAP/TTLS/LEAP/PSK/AKA/FAST]. If not specified, all methods are allowed.
- MD5 – EAP-MD5 (insecure and does not generate keying material - cannot be used with WPA. to be used as a Phase 2 method with EAP-PEAP or EAP-TTLS)
- MSCHAPV2 – EAP-MSCHAPv2 (cannot be used separately with WPA; to be used as a Phase 2 method with EAP-PEAP or EAP-TTLS)
- OTP – EAP-OTP (cannot be used separately with WPA; to be used as a Phase 2 method with EAP-PEAP or EAP-TTLS)
- GTC – EAP-GTC (cannot be used separately with WPA; to be used as a Phase 2 method with EAP-PEAP or EAP-TTLS)
- TLS – EAP-TLS (client and server certificate)
- PEAP – EAP-PEAP (with tunneled EAP authentication)
- TTLS – EAP-TTLS (with tunneled EAP or PAP/CHAP/MSCHAP/MSCHAPV2 authentication)
- LEAP – EAP-LEAP
- PSK – EAP-PSK
- AKA – EAP-AKA
- FAST – EAP-FAST
wpasupplicant.profile.<index>.network.<index>.identity – specify the identity for EAP [string].
wpasupplicant.profile.<index>.network.<index>.anonymous_identity – specify anonymous identity for EAP (to be used as the unencrypted identity with EAP types that support different tunneled identity, eg., EAP-TTLS) [string].
wpasupplicant.profile.<index>.network.<index>.password – specify the password for EAP [string].
wpasupplicant.profile.<index>.network.<index>.pin – specify the SIM pin code [string].
wpasupplicant.profile.<index>.network.<index>.pcsc – specify the PCSC string used for SIM authentication. Default: empty string if wpasupplicant.profile.<index>.network.<index>.pin is specified.
wpasupplicant.profile.<index>.network.<index>.wep_key0 – specify the WEP Key 0:40-bit or 104-bit. The key used in static WEP mode - an ASCII passphrase.
wpasupplicant.profile.<index>.network.<index>.wep_key0.hex – specify the static WEP key 0: 40-bit or 104-bit static key. The key used in static WEP mode - hex-digits, i.e., 10 or 26 bytes. If this key is specified, it overrides wpasupplicant.profile.<index>.network.<index>.wep_key0.
- 5 pairs for 40-bit key (eg. 00:AC:01:35:FF)
- 13 pairs for 104-bit key (eg. 00:11:22:33:44:55:66:77:88:99:AA:BB:CC)
wpasupplicant.profile.<index>.network.<index>.wep_key1 – specify the static WEP key 1: 40-bit or 104-bit. The key used in static WEP mode - an ASCII passphrase.
wpasupplicant.profile.<index>.network.<index>.wep_key1.hex – specify the static WEP key 1 in hex-digits: 40-bit or 104-bit static key. The syntax is the same as wpasupplicant.profile.<index>.network.<index>.wep_key0.hex. If this key is specified, it overrides wpasupplicant.profile.<index>.network.<index>.wep_key1.
wpasupplicant.profile.<index>.network.<index>.wep_key2 – specify the static WEP key 1: 40-bit or 104-bit. The key used in static WEP mode - an ASCII passphrase.
wpasupplicant.profile.<index>.network.<index>.wep_key2.hex – specify the static WEP key 2 in hex-digits: 40-bit or 104-bit static key. The syntax is the same as wpasupplicant.profile.<index>.network.<index>.wep_key0.hex. If this key is specified, it overrides wpasupplicant.profile.<index>.network.<index>.wep_key2.
wpasupplicant.profile.<index>.network.<index>.wep_key3 – specify the static WEP key 1: 40-bit or 104-bit. The key used in static WEP mode - an ASCII passphrase.
wpasupplicant.profile.<index>.network.<index>.wep_key3.hex – specify the static WEP key 3 in hex-digits: 40-bit or 104-bit static key. The syntax is the same as wpasupplicant.profile.<index>.network.<index>.wep_key0.hex. If this key is specified, it overrides wpasupplicant.profile.<index>.network.<index>.wep_key3.
wpasupplicant.profile.<index>.network.<index>.wep_tx_keyidx – specify the default static WEP key [0/1/2/3]. Default: 0.
wpasupplicant.profile.<index>.network.<index>.eappsk – specify the EAP pre-shared key in hexadecimal format [32 hexadecimal digits].
wpasupplicant.profile.<index>.network.<index>.nai – specify the user Network Access Identifier (NAI) used to identify communicating parties [string up to 72 characters in length]. This is used for EAP-PSK protocol.
wpasupplicant.profile.<index>.network.<index>.server_nai – specify the authentication server’s NAI [string up to 72 characters in length]. This is used for EAP-PSK protocol.
wpasupplicant.profile.<index>.network.<index>.ca_cert – specify the name of CA certificate file [file name with .pem or .der extension]. This file can have one or more trusted CA certificates. If ca_cert is not included, server certificate will not be verified. This is insecure and the CA file should always be configured. The file should be saved in /etc/persistent/ca_cert/ directory on device.
wpasupplicant.profile.<index>.network.<index>.client_cert – specify the name of client certificate file [file name with .pem or .der extension]. The file should be saved in /etc/persistent/public_cert/ directory on device.
wpasupplicant.profile.<index>.network.<index>.private_key – specify the name of client private key file [file name with .key or .p12 extension]. When PKCS#12 file (.p12 extension) is used, wpasupplicant.profile.<index>.network.<index>.client_cert should be commented out or removed. Both the private key and certificate will be read from the PKCS#12 file in this case. The file should be saved in /etc/persistent/private_key/ directory on device.
wpasupplicant.profile.<index>.network.<index>.private_key_passwd – specify the password for private key [string].
wpasupplicant.profile.<index>.network.<index>.dh_file – specify the path to DH/DSA parameters file (in PEM format) [string]. This is an optional configuration file for setting parameters for an ephemeral DH key exchange. In most cases, the default RSA authentication does not use this configuration. However, it is possible setup RSA to use ephemeral DH key exchange. In addition, ciphers with DSA keys always use ephemeral DH keys. This can be used to achieve forward secrecy. If the file is in DSA parameters format, it will be automatically converted into DH parameters.
wpasupplicant.profile.<index>.network.<index>.subject_match – specify substring to be matched against the subject of the authentication server certificate. If this string is set, the server certificate is only accepted if it contains this string in the subject. The subject string is in following format: /C=US/ST=CA/L=San Francisco/CN=Test AS/emailAddress=as@example.com
Phase1 (outer authentication, i.e., TLS tunnel) parameters:
wpasupplicant.profile.<index>.network.<index>.phase1.peapver – specify the PEAP version which will be used [0/1]. Default: 1.
wpasupplicant.profile.<index>.network.<index>.phase1.peaplabel – specify the PEAP label status [enabled/disabled]. Default: disabled. When enabled, new label, "client PEAP encryption" will be used during key derivation with PEAPv1 or newer. Most existing PEAPv1 implementations seem to be using the old label, "client EAP encryption", and supplicant is now using this as default value. Some servers may require peaplabel to be enabled to interoperate with PEAPv1.
wpasupplicant.profile.<index>.network.<index>.phase1.peap_outer_success – specify the method to terminate PEAP authentication on tunneled EAP-Success [0/1/2]. Default: 0.
- 0 – PEAP terminated on Phase 2 inner EAP-Success;
- 1 – reply with tunneled EAP-Success to inner EAP-Success and expect access server to send outer (unencrypted) EAP-Success after this;
- 2 – reply with PEAP/TLS ACK to inner EAP-Success and expect access server to send outer (unencrypted) EAP-Success after this.
This is required with some RADIUS servers that implement draft-josefsson-pppext-eap-tls-eap-05.txt.
wpasupplicant.profile.<index>.network.<index>.phase1.sim_min_num_chal –specify to configure the EAP-SIM to require 2 or 3 challenges [2/3]. Default 2.
Phase2 (inner authentication with TLS tunnel) parameters:
wpasupplicant.profile.<index>.network.<index>.phase2.auth – specify the inner authentication type for TTLS [MSCHAPV2/MSCHAP/PAP/CHAP]. It stands for TTLS/MSCHAPV2, TTLS/MSCHAP, TTLS/PAP and TTLS/CHAP. If not specified, the keys wpasupplicant.profile.<index>.network.<index>.phase2.autheap.* will be used instead, see below.
wpasupplicant.profile.<index>.network.<index>.phase2.autheap.<1-5>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.phase2.autheap.<1-5>.name – specify the inner tunneled EAP authentication types for TTLS [MD5/TLS/MSCHAPV2/GTC/OTP]. They stand for TTLS/EAP-MD5, TTLS/EAP-TLS, TTLS/EAP-MSCHAPV2, TTLS/EAP-GTC, TTLS/EAP-OTP. If not specified all available types will be accepted. Note: If wpasupplicant.profile.<index>.network.<index>.phase2.auth is set - this key will have no effect.
wpasupplicant.profile.<index>.network.<index>.phase2.authpeap.<1-5>.status – specify current entry status [enabled/disabled]. Default: enabled.
wpasupplicant.profile.<index>.network.<index>.phase2.authpeap.<1-5>.name – specify the inner tunneled EAP authentication types for PEAP [MD5/TLS/MSCHAPV2/GTC/OTP]. If not specified all available types will be accepted.
wpasupplicant.profile.<index>.network.<index>.ca_cert2 – specify the name of CA certificate file [file name with .pem or .der extension]. This file can have one or more trusted CA certificates. If ca_cert2 is not included, server certificate will not be verified. This is insecure and the CA file should always be configured. See also: wpasupplicant.profile.<index>.network.<index>.ca_cert.
wpasupplicant.profile.<index>.network.<index>.client_cert2 – specify the name of client certificate file [file name with .pem or .der extension]. See also: wpasupplicant.profile.<index>.network.<index>.client_cert.
wpasupplicant.profile.<index>.network.<index>.private_key2 – specify the name of client private key file [file name with .key or .p12 extension]. See also: wpasupplicant.profile.<index>.network.<index>.private_key.
wpasupplicant.profile.<index>.network.<index>.private_key2_passwd – specify the password for private key [string].
wpasupplicant.profile.<index>.network.<index>.dh_file2 – specify the path to DH/DSA parameters file (in PEM format). See also: wpasupplicant.profile.<index>.network.<index>.dh_file.
wpasupplicant.profile.<index>.network.<index>.subject_match2 – specify substring to be matched against the subject of the authentication server certificate. See also: wpasupplicant.profile.<index>.network.<index>.subject_match.
Example:
# wpasupplicant.profile.1.status=enabled wpasupplicant.profile.1.ap_scan=enabled wpasupplicant.profile.1.eapol_version=1 wpasupplicant.profile.1.fast_reauth=enabled wpasupplicant.profile.1.name=user_1 wpasupplicant.profile.1.network.1.priority=0 wpasupplicant.profile.1.network.1.proto.1.status=enabled wpasupplicant.profile.1.network.1.proto.2.status=enabled wpasupplicant.profile.1.network.1.scan_ssid=disabled wpasupplicant.profile.1.network.1.ssid=device_SSID wpasupplicant.profile.1.network.1.status=enabled wpasupplicant.profile.1.network.1.auth_alg.1.status=enabled wpasupplicant.profile.1.network.1.auth_alg.1.name=OPEN wpasupplicant.profile.1.network.1.auth_alg.2.status=disabled wpasupplicant.profile.1.network.1.auth_alg.3.status=disabled wpasupplicant.profile.1.network.1.ca_cert=/etc/persistent/public_cert/root.pem wpasupplicant.profile.1.network.1.eap.1.status=enabled wpasupplicant.profile.1.network.1.eap.1.name=PEAP wpasupplicant.profile.1.network.1.eapol_flags=3 wpasupplicant.profile.1.network.1.group.1.status=enabled wpasupplicant.profile.1.network.1.group.1.name=TKIP wpasupplicant.profile.1.network.1.group.2.status=disabled wpasupplicant.profile.1.network.1.group.3.status=disabled wpasupplicant.profile.1.network.1.group.4.status=disabled wpasupplicant.profile.1.network.1.identity=user_name wpasupplicant.profile.1.network.1.key_mgmt.1.status=enabled wpasupplicant.profile.1.network.1.key_mgmt.1.name=WPA-EAP wpasupplicant.profile.1.network.1.pairwise.1.status=enabled wpasupplicant.profile.1.network.1.pairwise.1.name=TKIP wpasupplicant.profile.1.network.1.pairwise.2.status=disabled wpasupplicant.profile.1.network.1.password=user_password wpasupplicant.profile.1.network.1.phase1.peap_outer_success=0 wpasupplicant.profile.1.network.1.phase1.peaplabel=disabled wpasupplicant.profile.1.network.1.phase1.peapver=0 wpasupplicant.profile.1.network.1.phase1.sim_min_num_chal=2 wpasupplicant.profile.1.network.1.phase2.authpeap.1.status=enabled wpasupplicant.profile.1.network.1.phase2.authpeap.1.name=MSCHAPV2 wpasupplicant.profile.1.network.1.wep_tx_keyidx=0
IP Firewall
Access control and traffic accounting in WILI-S is implemented through ip firewall. Firewall protects the resources of a private network from outside users by preventing unauthorized access and acting as a security filter which restricts specified types of network communication.
Firewall mechanism enables Port Forwarding feature by creating a transparent tunnel through a firewall, allowing users on the Internet access to a service (Web server, SSH server) running on the LAN side. From the outside user's point of view, it looks like the service is running on the firewall.
IP firewall contains three built-in tables: nat, mangle and filter. Every table contains built-in chains. User can create additional chains and include them into built-in chains for more flexibility. Here is the built-in chain list for those tables:
- filter (packet filtering: rejecting, dropping or accepting packets):
- INPUT
- FORWARD
- OUTPUT
- nat (network address translation including DNAT, SNAT and masquerading):
- PREROUTING
- POSTROUTING
- OUTPUT
- mangle (general packet header modification such as setting the TOS value or marking packets for policy routing and traffic shaping):
- PREROUTING
- INPUT
- FORWARD
- OUTPUT
- POSTROUTING
Packet coming from the network and destined for the WILI-S based device traverses firewall tables, chains, and routing tables in this order:
- mangle table, PREROUTING chain – normally used for mangling packets, i.e., changing TOS and so on;
- nat table, PREROUTING chain – mainly used for DNAT; avoid filtering in this chain since it will be bypassed in certain cases;
- routing decision;
- mangle table, INPUT chain – used to mangle packets, after they have been routed;
- filter table, INPUT chain – used to filter all incoming traffic destined for the WILI-S based device.
Packet generated by process on the WILI-S based device locally traverses firewall tables, chains, and routing tables in this order:
- routing decision;
- mangle table, OUTPUT chain – normally used for mangling packets; it is suggested that you do not filter in this chain since it can have side effects;
- nat table, OUTPUT chain – can be used to NAT outgoing packets from the firewall itself;
- filter table, OUTPUT chain – used to filter all outgoing traffic from the WILI-S based device;
- mangle table, POSTROUTING chain – used when we want to do mangling on packets before they leave the WILI-S based device, but after the actual routing decisions; this chain will be hit by both packets just traversing the firewall, as well as packets created by the firewall itself;
- nat table, POSTROUTING chain – used for SNAT; it is suggested that you don't do filtering here since it can have side effects, and certain packets might slip through even though the default policy is to drop them.
Packet passing through the WILI-S and destined for another host on the network traverses firewall tables, chains, and routing tables in this order:
- mangle table, PREROUTING chain – normally used for mangling packets;
- nat table, PREROUTING chain – mainly used for DNAT; avoid filtering in this chain since it will be bypassed in certain cases;
- routing decision;
- mangle table, FORWARD chain – used for very specific needs, where we want to mangle the packets after the initial routing decision, but before the last routing decision made just before the packet is sent out;
- filter table, FORWARD chain – used for all the filtering; all forwarded traffic goes through this chain;
- mangle table, POSTROUTING chain – used for specific types of packet mangling that we wish to take place after all kinds of routing decisions has been done, but still on this machine;
- nat table, POSTROUTING chain – used for SNAT; avoid doing filtering here, since certain packets might pass this chain without ever hitting it; this is also where masquerading is done.
All available keys of the Firewall configuration are listed below:
firewall.status – specify the IP firewall feature status [enabled/disabled]. Default: disabled.
firewall.<table-name>.<chain-name>.policy – specify the policy [ACCEPT/DROP/RETURN]. Default: ACCEPT. See below for descriptions.
Create a custom user chain:
firewall.chain.<index>.status – specify the chain entry status [enabled/disabled]. Default: enabled.
firewall.chain.<index>.name – specify the chain name [string without spaces].
firewall.chain.<index>.table – specify the chain table name [nat/mangle/filter, mandatory].
firewall.chain.<index>.parent – specify the parent chain name [string without spaces].
| | The key firewall.chain.<index>.parent is not recommended to use. Use rules with Jump target instead to arrange chains. |
Rules Configuration
A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, or one of the special values described below. Some rule keys may have an inverse sub-key. If set to enabled it inverts the test for the main key match value.
Following configuration keys are used to determine where a particular rule shall be placed:
firewall.rule.<index>.status – specify the rule entry status [enabled/disabled]. Default: enabled.
firewall.rule.<index>.table – specify the table name [nat/mangle/filter].
firewall.rule.<index>.chain – specify the chain name [string, no spaces allowed].
firewall.rule.<index>.index – specify the rule index within the chain [1-1000].
Rule Matches
firewall.rule.<index>.protocol – specify the rule protocol [TCP/UDP/ICMP/ALL/name from /etc/protocols, integer value]. The values can be found at http://www.iana.org/assignments/protocol-numbers.
firewall.rule.<index>.protocol.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled. If enabled, this will match all protocols not specified by firewall.rule.<index>.protocol.
firewall.rule.<index>.src – specify the source IP address. IP address can be single address, eg. 192.168.2.1 or can be used with network mask to specify whole IP ranges - eg. 192.168.2.0/24 or 192.168.2.0/255.255.255.0.
firewall.rule.<index>.src.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.dst – specify the destination IP address. IP address can be single address, eg. 192.168.2.1 or can be used with network mask to specify whole IP ranges - eg. 192.168.2.0/24 or 192.168.2.0/255.255.255.0.
firewall.rule.<index>.dst.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.in – specify the interface name where the packet came from. This option is legal only in the INPUT, FORWARD and PREROUTING chains and will not return any error message when used anywhere else. Character '+' can be used to match string of letters and numbers - eg. value ixp+ will match all Ethernet devices.
firewall.rule.<index>.in.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.out – specify the interface where the packet is going to. This option is legal only in the INPUT, FORWARD and PREROUTING chains and will not return any error message when used anywhere else. Character '+' can be used to match string of letters and numbers - eg. value ixp+ will match all Ethernet devices.
firewall.rule.<index>.out.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Implicit matches
firewall.rule.<index>.sport – specify the TCP or UDP source port or port range [0-65535[:0-65535]].This match can either take a service name from /etc/services file or a port number. You can define a port range instead of one port - eg. 22:80 will match all ports from 22 to 80.
firewall.rule.<index>.sport.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.dport – specify the TCP or UDP destination port or port range [0-65535[:0-65535]].This match can either take a service name from /etc/services file or a port number. You can define a port range instead of one port - eg. 22:80 will match all ports from 22 to 80.
firewall.rule.<index>.dport.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.tcpflags – specify the TCP flags in a packet [SYN/ACK/FIN/RST/URG/PSH/ALL/NONE].
firewall.rule.<index>.tcpflags.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.tcpoption – specify the TCP option number [0-256].
firewall.rule.<index>.tcpoption.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ICMP matches
firewall.rule.<index>.icmp.type – specify the ICMP type [any/echo-reply/destination-unreachable/network-unreachable/host-unreachable/protocol-unreachable/port-unreachable/fragmentation-needed/source-route-failed/network-unknown/host-unknown/network-prohibited/host-prohibited/TOS-network-unreachable/TOS-host-unreachable/communication-prohibited/host-precedence-violation/precedence-cutoff/source-quench/redirect/network-redirect/host-redirect/TOS-network-redirect/TOS-host-redirect/echo-request/router-advertisement/router-solicitation/time-exceeded/ttl-zero-during-transit/ttl-zero-during-reassembly/parameter-problem/ip-header-bad/required-option-missing/timestamp-request/timestamp-reply/address-mask-request/address-mask-reply]. ICMP types can be specified either by their numeric values or by their names. Numerical values are specified in RFC 792.
firewall.rule.<index>. icmp.type.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Explicit matches
firewall.rule.<index>.limit – specify the maximum average number of matches to allow per time unit [0-65535/[second/minute/hour/day], eg. 5/second].
firewall.rule.<index>.limit.burst – specify the maximum burst per time unit before the above limit kicks in [0-65535/[second/minute/hour/day], eg. 10/second].
firewall.rule.<index>.mac – specify the source MAC address [colon separated 6 hexadecimal value pairs]. This is only useful for packets traversing the INPUT and FORWARD chains.
firewall.rule.<index>.mac.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.mark – specify the mark value which is used to match packets that have previously been marked [0-4294967296].
firewall.rule.<index>.multiport.sport – specify the multiple comma separated source ports [0-65535,…,0-65535, up to 15 ports]. This match can be used only with TCP or UDP protocols.
firewall.rule.<index>.multiport.dport – specify the multiple comma separated destination ports to [0-65535,…,0-65535, up to 15 ports]. This match can be used only with TCP or UDP protocols.
firewall.rule.<index>.multiport.port – specify the multiple ports [0-65535,…,0-65535, up to 15 ports]. This matches only if both the source and destination ports are equal to each other and are in the given port list. This match can be used only with TCP or UDP protocols.
firewall.rule.<index>.uid.owner – specify the packet creator’s user id. This match works only within the OUTPUT chain.
firewall.rule.<index>.gid.owner – specify the packet creator’s group id. This match works only within the OUTPUT chain.
firewall.rule.<index>.pid.owner – specify the packet creator’s process id. This match works only within the OUTPUT chain.
firewall.rule.<index>.sid.owner – specify the packet creator’s session id. This match works only within the OUTPUT chain.
firewall.rule.<index>.state – specify the packet’s connection state [INVALID/ESTABLISHED/NEW/RELATED]. This works for almost all protocols, including ICMP and UDP.
firewall.rule.<index>.tos – specify the TOS (Type Of Service) field type [decimal or hexadecimal value]:
- Minimize - Delay 16 (hexadecimal: 0X10);
- Maximize - Throughput 8 (0X08);
- Maximize - Reliability 4 (0X04);
- Minimize - Cost 2 (0X02);
- Normal - Service 0 (0X00);
firewall.rule.<index>.ttl – specify the time-to-live (TTL) value [0-256].
firewall.rule.<index>.unclean – specify the unclean match status [enabled/disabled]. Default: disabled. If enabled, this attempts to match packets which seem malformed or unusual.
Either input or output interface (not both) can be specified for the following accounting match rule. This match contains database of authenticated clients and traffic accounting for these clients is performed.
firewall.rule. <index>.ipp2p.status – specify the status of IPP2P [enabled/disabled]. Default: disabled. IPP2P is a netfilter extension to identify P2P filesharing traffic.
firewall.rule. <index>.ipp2p – specify status to grab all known p2p packets. [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.edk – specify to grab all known eDonkey/eMule/Overnet packets. [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.dc – specify to grab all known Direct Connect packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.kazaa – specify to grab all known KaZaA packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.gnu – specify to grab all known Gnutella packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.bit – specify to grab all known BitTorrent packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.apple – specify to grab all known AppleJuise packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.winmx – specify to grab all known WinMX packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.soul – specify to grab all known SoulSeek packets [enabled/disabled]. Default: disabled.
firewall.rule. <index>.ipp2p.ares – specify to grab all known Ares packets - use with DROP only [enabled/disabled]. Default: disabled.
firewall.rule.<index>.acct.in – specify the input interface name.
firewall.rule.<index>.acct.in.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.acct.out – specify the output interface name.
firewall.rule.<index>.acct.out.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Either input or output interface (not both) can be specified for the following authentication match rule.
firewall.rule.<index>.auth – specify the type of client packets: authenticated or not authenticated [auth/not-auth]. Default: auth. Based on this match, single rule for all authenticated/not authenticated clients can be applied - eg. DROP all packets from unauthenticated clients.
firewall.rule.<index>.auth.in – specify the input interface name.
firewall.rule.<index>.auth.out – specify the output interface name.
firewall.rule.<index>.auth.in.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.auth.out.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
firewall.rule.<index>.list – specify white or black list to match packets against [white/black]. Based on this match, single rule for all clients going to/from white (or black) listed sites can be applied. White/black list database is maintained in the separate application. If configuration value is white, all packets going to/from whitelisted sites are matched. Usually such rule has target ACCEPT. Configuration value black is used for blacklisted sites together with DROP target.
IPP2P
The goal of the IPP2P is to identify peer-to-peer (P2P) data in IP traffic. IPP2P is a netfilter extension to identify P2P file sharing traffic. Thereby IPP2P integrates itself easily into existing Linux firewalls and it's functionality can be used by adding appropriate filter rules.
IPP2P uses suitable search patterns to identify P2P traffic thus allowing the reliable identification of traffic belonging to many P2P networks. Once identified one may handle P2P traffic in different ways - dropping such traffic, putting into low priority classes or shaping to a given bandwidth limit is possible. Reducing costs, freeing network resources and therefore improving network performance is often the result of using IPP2P.
All keys has default value: disabled.
firewall.rule.<index>.ipp2p.status -- enable/disable IPP2P match [enabled, disabled]
firewall.rule.<index>.ipp2p -- grab all known p2p packets. Equal to --edk --dc --kazaa --gnu. [enabled, disabled]
firewall.rule.<index>.ipp2p.edk -- all known eDonkey/eMule/Overnet packets [enabled, disabled].
firewall.rule.<index>.ipp2p.dc – all known direct connect packets [enabled, disabled].
firewall.rule.<index>.ipp2p.kazaa – all known KaZaA packets [enabled, disabled].
firewall.rule.<index>.ipp2p.gnu – all known Gnutella packets [enabled, disabled].
firewall.rule.<index>.ipp2p.bit – all known BitTorrent packets [enabled, disabled].
firewall.rule.<index>.ipp2p.apple – all known AppleJuice packets (beta: only few test by now) [enabled, disabled].
firewall.rule.<index>.ipp2p.winmx – all known WinMX packets (beta) [enabled, disabled].
firewall.rule.<index>.ipp2p.soul – all known SoulSeek (beta) [enabled, disabled].
firewall.rule.<index>.ipp2p.ares – all known Ares - use with DROP only (beta) [enabled, disabled].
Rule Targets
To jump to a specific chain set rule target to be equal to that chain’s name. The chain should already exist.
firewall.rule.<index>.target – specify the rule target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG].
ACCEPT target
As soon as the packet is matched, the rule is accepted and will not continue traversing current chain or any other ones in the same table. This target has no additional options:
firewall.rule.<index>.target=ACCEPT
DNAT target
DNAT target is used to rewrite destination IP address of a packet. If a packet is matched, the packet and all subsequent packets in the same stream will be translated and then routed to the correct device, host or network. DNAT target is only available in PREROUTING and OUTPUT chains in the nat table.
firewall.rule.<index>.target=DNAT
firewall.rule.<index>.t.dnat.dst – specify the IP or IP range. The IP range format is IP-IP (eg. 194.236.50.155-194.236.50.160).
Example:
firewall.rule.1.target=DNAT firewall.rule.1.t.dnat.dst=192.168.2.21-192.168.2.25
Multiple destination hosts can also be defined using the following syntax:
firewall.rule.<index>.t.dnat.<index>.dst – specify the IP address.
Example:
firewall.rule.1.target=DNAT firewall.rule.1.t.dnat.1.dst=192.168.2.21 firewall.rule.1.t.dnat.2.dst=192.168.2.40 firewall.rule.1.t.dnat.3.dst=192.168.2.229
DROP target
This target drops matched packets and will not carry out any further processing. If packet is dropped in a subchain, it will not be processed in any of the main chains in current or any other table. DROP target does not have any options.
firewall.rule.1.target=DROP
LOG target
This target is used for logging detailed information about packets to a system’s syslog. See section Syslog Configuration for more details.
firewall.rule.<index>.target=LOG
firewall.rule.<index>.t.log.level – specify the logging level [emerg/alert/crit/err/warning/notice/info/debug].
firewall.rule.<index>.t.log.prefix – specify the log prefix [string without spaces].
firewall.rule.<index>.t.log.tcp.sequence – specify the log sequence logging status [enabled/disabled]. The sequence option will log the TCP sequence numbers in a log message.
firewall.rule.<index>.t.log.tcp.options – specify the TCP option logging status [enabled/disabled]. This logs the different options from the TCP packet headers and can be valuable when trying to debug what could go wrong, or what has actually gone wrong.
firewall.rule.<index>.t.log.ip.options – specify the IP option logging status [enabled/disabled]. The IP options will log most of the IP packet header options.
MARK target
This target is used to set netfilter mark values that are associated with specific packets. It is only valid in the mangle table.
firewall.rule.<index>.target=MARK
firewall.rule.<index>.t.mark – specify the netfilter mark [0-4294967296].
MASQUERADE target
This target modifies packet’s source IP address. It is only valid in the nat table, in the POSTROUTING chain. It should only be used with dynamically assigned IP connections.
firewall.rule.<index>.target=MASQUERADE
firewall.rule.<index>.t.masq.ports – specify the port or port range [0-65535[:0-65535]]. Ports option is used to specify source port or port range to use for outgoing packets. This match can be used only with TCP or UDP protocols.
QUEUE target
This target is used to queue packets for further processing in the userspace programs. No additional options.
firewall.rule.<index>.target=QUEUE
REDIRECT target
REDIRECT target is used to redirect packets and streams to the machine itself. This target is valid only in PREROUTING and OUTPUT chains of the nat table. It is also valid within user-defined chains that are only called from those chains and nowhere else.
firewall.rule.<index>.target=REDIRECT
firewall.rule.<index>.t.redirect.port – specify the port or port range [0-65535[:0-65535]]. This match can be used only with TCP or UDP protocols.
REJECT target
This target works basically the same as DROP target, but it also sends back an error message to the host sending the packet that was blocked. REJECT target is valid only in INPUT, FORWARD and OUTPUT chains.
firewall.rule.<index>.target=REJECT
firewall.rule.<index>.t.reject.with – specify the response to send to the host if sent packet was rejected [icmp-net-unreachable/icmp-host-unreachable/icmp-port-unreachable/icmp-proto-unreachable/icmp-net-prohibited/icmp-host-prohibited/tcp-reset]. Default: port-unreachable.
RETURN target
This target will cause current packet to stop traversing this chain and resume at the next rule in the previous (calling) chain. If the chain is the main chain, default chain policy will apply for this packet.
firewall.rule.<index>.target=RETURN
SNAT target
This target is used to rewrite source IP address in the IP header of the packet. SNAT target is valid in POSTROUTING chain of nat table only.
firewall.rule.<index>.target=SNAT
firewall.rule.<index>.t.snat.source – specify the IP or IP range. The IP range format is IP-IP (eg. 194.236.50.155-194.236.50.160). Source option is used to specify which source the packet should use.
TOS target
TOS target is used to set the type of service field within IP header. It is only valid in the mangle table.
firewall.rule.<index>.target=TOS
firewall.rule.<index>.t.tos – specify the TOS field type [decimal or hexadecimal value]:
- Minimize - Delay 16 (hexadecimal: 0X10);
- Maximize - Throughput 8 (0X08);
- Maximize - Reliability 4 (0X04);
- Minimize - Cost 2 (0X02);
- Normal - Service 0 (0X00);
TTL target
TTL target is used to modify the time to live in the IP header. It is only valid in the mangle table.
firewall.rule.<index>.target=TTL
firewall.rule.<index>.t.ttl.set – specify the TTL set option [0-256]. This option tells the TTL target which TTL value to set on a packet.
firewall.rule.<index>.t.ttl.dec – specify the TTL decrement option [0-256] .This option specifies to decrement TTL by given value.
firewall.rule.<index>.t.ttl.inc – specify the TTL increment option [0-256]. This option specifies to increment TTL by given value.
ULOG target
The ULOG target is used to provide userspace logging of matching packets. The packet information is multicasted together with the whole packet through netlink socket.
firewall.rule.<index>.target – ULOG
firewall.rule.<index>.t.ulog.nlgroup – specify the netlink group [0-32]. This option tells the ULOG target which netlink group to send the packet to.
firewall.rule.<index>.t.ulog.prefix – specify the ULOG prefix [string without spaces]. This option prefixes all log entries with a user-specified log prefix.
firewall.rule.<index>.t.ulog.cprange – specify how many bytes of packet to send [0-65535].
firewall.rule.<index>.t.ulog.qthreshold – specify how many packets to queue before sending [0-65535].
NAS_MARK target
The NAS_MARK target is used to mark all incoming packets with their source IP address as a mark. These marks are used by traffic shaping module (used for AAA user bandwidth configuration). NAS_MARK target can be used only in PREROUTING chain (or subchains) of mangle table. This target has no additional parameters.
firewall.rule.<index>.target=NAS_MARK
Another Firewall Rule Definition Method
There is a possibility to define firewall rule with all the parameters as a regular iptables command line.
firewall.rule.<index>.cmd – specify the iptables command line [string]
Example:
#firewall.rule.5.cmd=-t nat -A POSTROUTING -s 192.168.1.0/24 -o ixp0 -j SNAT --to-source 192.168.2.1 #The configuration file snapshot for an example described above should be like this: firewall.status=enabled firewall.rule.1.status=enabled firewall.rule.1.target=SNAT firewall.rule.1.table=nat firewall.rule.1.chain=POSTROUTING firewall.rule.1.t.snat.source=192.168.30.1 firewall.rule.1.out=ixp1 firewall.rule.1.protocol=TCP firewall.rule.1.dport=25 firewall.rule.2.status=enabled firewall.rule.2.table=nat firewall.rule.2.chain=PREROUTING firewall.rule.2.in=ixp0 firewall.rule.2.dst=195.14.162.78 firewall.rule.2.protocol=TCP firewall.rule.2.dport=25 firewall.rule.2.target=ACCEPT firewall.rule.3.status=enabled firewall.rule.3.table=nat firewall.rule.3.chain=PREROUTING firewall.rule.3.protocol=TCP firewall.rule.3.in=ixp0 firewall.rule.3.dport=25 firewall.rule.3.target=DNAT firewall.rule.3.t.dnat.dst=195.14.162.78 firewall.rule.4.status=enabled firewall.rule.4.table=nat firewall.rule.4.chain=POSTROUTING firewall.rule.4.target=MASQUERADE firewall.rule.4.out=ixp1 firewall.rule.5.table=nat firewall.rule.5.chain=PREROUTING firewall.rule.5.protocol=TCP firewall.rule.5.dport=53 firewall.rule.5.target=REDIRECT firewall.rule.6.table=nat firewall.rule.6.chain=PREROUTING firewall.rule.6.protocol=UDP firewall.rule.6.dport=53 firewall.rule.6.target=REDIRECT firewall.rule.7.table=nat firewall.rule.7.chain=PREROUTING firewall.rule.7.list=white firewall.rule.7.target=ACCEPT firewall.rule.8.table=filter firewall.rule.8.chain=FORWARD firewall.rule.8.list=white firewall.rule.8.target=ACCEPT firewall.filter.FORWARD.policy=DROP
Bridging Firewall
Bridging firewall contains three built-in tables: nat, filter and broute. Every table contains built-in chains. User can create additional chains and include them into built-in chains for more flexibility. Here is the built-in chain list for those tables:
- filter:
- INPUT
- FORWARD
- OUTPUT
- nat:
- PREROUTING
- OUTPUT
- POSTROUTING
- broute:
- BROUTING
For details about nat and filter tables and their chains check the section IP Firewall Configuration.
Broute table is used to make a brouter. The targets DROP and ACCEPT have special meaning in the broute table. DROP actually means the frame has to be routed, while ACCEPT means the frame has to be bridged. The BROUTING chain is traversed very early. It is only traversed by frames entering on a bridge enslaved network interface that is in forwarding state. Normally those frames would be bridged, but you can decide otherwise here. The redirect target, described below, is very handy here.
All available keys of the Bridging Firewall feature are listed below:
ebtables.status – specify the bridging firewall feature status [enabled/disabled]. default: disabled.
ebtables.<table-name>.<chain-name>.policy – specify the policy [ACCEPT/DROP/RETURN]. Default: ACCEPT. See below for descriptions.
ebtables.chain.<index>.status – specify the chain entry status [enabled/disabled]. Default: enabled.
ebtables.chain.<index>.name – specify the chain name [string].
ebtables.chain.<index>.table – specify the chain table name [filter/nat/broute].
Rules Configuration
A firewall rule specifies criteria for a packet, and a target. If the packet does not match, the next rule in the chain is the examined; if it does match, then the next rule is specified by the value of the target, which can be the name of a user-defined chain, or one of the special values described below. Some rule keys may have an inverse subkey. If set to enabled it inverts the test for the main key match value.
Following configuration keys are used to determine where a particular rule shall be placed:
ebtables.rule.<index>.status – specify current rule status [enabled/disabled]. Default: enabled.
ebtables.rule.<index>.table – specify the table name [string].
ebtables.rule.<index>.chain – specify the chain name [string].
A firewall rule specifies criteria for an Ethernet frame and a frame processing specification called a target. When a frame matches a rule, then the next action specified by the target is performed. The target can be one of these values: ACCEPT, DROP, CONTINUE, RETURN, an 'extension' (see below) or a user-defined chain.
ebtables.rule.<index>.target – specify the target [ACCEPT/DROP/CONTINUE/RETURN, target extension]:
- ACCEPT means to let the frame through.
- DROP means the frame has to be dropped.
- CONTINUE means the next rule has to be checked. This can be handy to know how many frames pass a certain point in the chain or to log those frames.
- RETURN means stop traversing this chain and resume at the next rule in the previous (calling) chain.
- TARGET EXTENSIONS see section Target Extensions.
Rule Matches
ebtables.rule.<index>.protocol – specify the protocol that is responsible for creating the frame [hexadecimal number below 0x0600/name from /etc/ethertypes file/LENGTH]. The protocol field of the Ethernet frame can be used to denote the length of the header (802.2/802.3 networks). When the value of that field is below (or equals) 0x0600, the value equals the size of the header and should not be used as a protocol number. Instead, all frames where the protocol field is used as the length field are assumed to be of the same protocol. The protocol name for these frames is LENGTH.
Contents of /etc/ethertypes file are listed at http://www.cavebear.com/CaveBear/Ethernet/type.html.
ebtables.rule.<index>.protocol.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.src – specify the source MAC address [colon separated 6 hexadecimal value pairs]. Alternatively one can specify Unicast, Multicast, Broadcast or BGA (Bridge Group Address).
- Unicast = 00:00:00:00:00:00/01:00:00:00:00:00,
- Multicast = 01:00:00:00:00:00/01:00:00:00:00:00,
- Broadcast = ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff
- BGA = 01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff.
Note that a broadcast address will also match the multicast specification.
ebtables.rule.<index>.src.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.dst – specify the destination MAC address [colon separated 6 hexadecimal value pairs]. See ebtables.rule.<index>.src for more details.
ebtables.rule.<index>.dst.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.in – specify the interface name a frame is received from. This match is available in INPUT, FORWARD, PREROUTING and BROUTING chains.
ebtables.rule.<index>.in.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.out – specify the interface name a frame is going to be sent to. This match is available in OUTPUT, FORWARD and POSTROUTING chains.
ebtables.rule.<index>.out.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.lin – specify the (logical) bridge interface name a frame is received from. This match is available in INPUT, FORWARD, PREROUTING and BROUTING chains.
ebtables.rule.<index>.lin.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.lout – specify the (logical) bridge interface name a frame is going to be sent to. This match is available in OUTPUT, FORWARD and POSTROUTING chains.
ebtables.rule.<index>.lout.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Match Extensions
802.3 matches
Specify 802.3 DSAP/SSAP fields or SNAP type. The protocol must be specified as LENGTH (see protocol above).
ebtables.rule.<index>.802_3.sap – specify the SAP byte [hexadecimal number]. DSAP and SSAP are two one byte 802.3 fields. The bytes are always equal, so only one byte (hexadecimal) is needed as an argument.
ebtables.rule.<index>.802_3.sap.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.802_3.type – specify the SNAP value [hexadecimal number]. If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must be consulted to determine the payload protocol. This is a two byte (hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are checked for type.
ebtables.rule.<index>.802_3.type.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ARP matches
Specify ARP fields. The protocol must be specified as ARP or RARP.
ebtables.rule.<index>.arp.opcode – specify the (R)ARP opcode [decimal or a string]:
- 1 = Request
- 2 = Reply
- 3 = Request_Reverse
- 4 = Reply_Reverse
- 5 = DRARP_Request
- 6 = DRARP_Reply
- 7 = DRARP_Error
- 8 = InARP_Request
- 9 = ARP_NAK
ebtables.rule.<index>.arp.opcode.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.arp.htype – specify the hardware type [number or string].Default: Ethernet (1).
ebtables.rule.<index>.arp.htype.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.arp.ptype – specify the protocol type for which the (R)ARP is used [hexadecimal number or string]. Default: IPv4 (0x0800).
ebtables.rule.<index>.arp.ptype.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.arp.ip_src – specify the ARP IP source address specification [IP address[/netmask length in bits]].
ebtables.rule.<index>.arp.ip_src.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.arp.ip_dst – the ARP IP destination address specification [IP address[/netmask length in bits]].
ebtables.rule.<index>.arp.ip_dst.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.arp.mac_src – specify the ARP MAC source address specification [colon separated 6 hexadecimal value pairs[/netmask length in bits]].
ebtables.rule.<index>.arp.mac_src.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.arp.mac_dst – specify the ARP MAC destination address specification [colon separated 6 hexadecimal value pairs[/netmask length in bits]].
ebtables.rule.<index>.arp.mac_dst.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
IP matches
Specify the IP fields for IPv4 protocol.
ebtables.rule.<index>.ip.source – specify the source IP address [IP address[/netmask length in bits]].
ebtables.rule.<index>.ip.source.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.ip.destination – specify the destination IP address [IP address[/netmask length in bits]].
ebtables.rule.<index>.ip.destination.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.ip.tos – specify the IP type of service [hexadecimal number].
- Minimize - Delay (0X10);
- Maximize - Throughput (0X08);
- Maximize - Reliability (0X04);
- Minimize - Cost (0X02);
- Normal - Service (0X00);
ebtables.rule.<index>.ip.tos.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.ip.protocol – specify the IP protocol [0-255]. The standard IP protocol as specified at http://www.iana.org/assignments/protocol-numbers.
ebtables.rule.<index>.ip.protocol.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.ip.source_port – specify the source port or port range for IP protocol [0-65535[:0-65535]].
ebtables.rule.<index>.ip.source_port.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.ip.destination_port – specify the destination port or port range for IP protocols [0-65535[:0-65535]].
ebtables.rule.<index>.ip.destination_port.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Mark matches
ebtables.rule.<index>.mark – specify the mark value to check in frames [number[/mask]].
If a mark value and mask is specified, the logical AND of the mark value of the frame and the user-specified mask is taken before comparing it with the user-specified mark value. If only a mask is specified (start with '/') the logical AND of the mark value of the frame and the user-specified mark is taken and the result is compared with zero.
ebtables.rule.<index>.mark.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Packet type matches
ebtables.rule.<index>.pkttype – specify the packet type [broadcast/multicast/host/otherhost]. Matches on the Ethernet "class" of the frame, which is determined by the generic networking code. Possible values: broadcast (MAC destination is broadcast address), multicast (MAC destination is multicast address), host (MAC destination is the receiving network device) or otherhost (none of the above).
ebtables.rule.<index>.pkttype.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
STP matches
Specify STP BPDU (Bridge Protocol Data Unit) fields. The destination address must be specified as the bridge group address (BGA).
ebtables.rule.<index>.stp.type – specify the BPDU type [0-255].
ebtables.rule.<index>.stp.type.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.flags – specify the BPDU flag [0-255].
ebtables.rule.<index>.stp.flags.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.root_prio – specify the root priority range [0-65535[:0-65535]].
ebtables.rule.<index>.stp.root_prio.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.root_addr – specify the root MAC address [colon separated 6 hexadecimal value pairs[/netmask length in bits]]. See ebtables.rule.<index>.src for more details.
ebtables.rule.<index>.stp.root_addr – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.root_cost – specify the root path cost range [0-4294967295[:0-4294967295]].
ebtables.rule.<index>.stp.root_cost.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.sender_prio – specify the BPDU sender priority range [0-65535[:0-65535]].
ebtables.rule.<index>.stp.sender_prio.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.sender_addr – specify the BPDU sender MAC address [colon separated 6 hexadecimal value pairs[/netmask length in bits]]. See ebtables.rule.<index>.src for more details.
ebtables.rule.<index>.stp.sender_addr.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.port – specify the port identifier range [0-65535[:0-65535]].
ebtables.rule.<index>.stp.port.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.msg_age – specify the message age timer [0-65535[:0-65535]].
ebtables.rule.<index>.stp.msg_age.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.max_age – specify the max age timer [0-65535[:0-65535]].
ebtables.rule.<index>.stp.max_age.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.hello_time – specify the hello time timer [0-65535[:0-65535]].
ebtables.rule.<index>.stp.hello_time.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.stp.forward_delay – specify the forward delay timer [0-65535[:0-65535]].
ebtables.rule.<index>.stp.forward_delay.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
VLAN matches
Specify 802.1Q Tag Control Information fields. The protocol must be specified as 802_1Q (0x8100).
ebtables.rule.<index>.vlan.id – specify the VLAN identifier [0-4095].
ebtables.rule.<index>.vlan.id.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.vlan.prio – specify the VLAN user_priority field value [0-7]. The ebtables.rule.<index>.vlan.id should be set to 0 or be unspecified.
ebtables.rule.<index>.vlan.prio.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.vlan.encap – specify the encapsulated Ethernet frame type/length [0x0000-0xFFFF/symbolic name from /etc/ethertypes]. Contents of /etc/ethertypes file are listed at http://www.cavebear.com/CaveBear/Ethernet/type.html.
ebtables.rule.<index>.vlan.encap.inverse – specify the match value inverse status [enabled/disabled]. Default: disabled.
Watcher Extensions
Watchers are things that only look at frames passing by. These watchers only look the frame if the frame matches the rule.
LOG
The fact that the log module is a watcher lets us log stuff while giving a target by choice. Note that the log module therefore is
not a target. Frames will be logged via system’s syslog. See section Syslog Configuration for more details.
ebtables.rule.<index>.log – specify the logging status [enabled/disabled].
ebtables.rule.<index>.log.level – specify the logging level [emerg/alert/crit/err/warning/notice/info/debug]. Default: info.
ebtables.rule.<index>.log.prefix – specify the prefix that will be printed before the logging information [string].
ebtables.rule.<index>.log.ip – specify to log the IP information when a frame made by the IP protocol matches the rule [enabled/disabled]. Default: disabled.
ebtables.rule.<index>.log.arp – specify to log the (R)ARP information when a frame made by the (R)ARP protocols matches the rule [enabled/disabled]. Default: disabled.
Target Extensions
arpreply
The arpreply target can be used in the PREROUTING chain of the nat table. If this target sees an ARP request it will automatically reply with an ARP reply. The used MAC address for the reply can be specified. When the ARP message is not an ARP request, it is ignored by this target.
ebtables.rule.<index>.t.arpreply.mac – specify the MAC address to reply with [colon separated 6 hexadecimal value pairs]. The Ethernet source MAC and the ARP payload source MAC will be filled in with this address.
ebtables.rule.<index>.t.arpreply.target – specify the standard target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG].
dnat
The dnat target can only be used in the BROUTING chain of the broute table and the PREROUTING and OUTPUT chains of the nat table. It specifies that the destination MAC address has to be changed.
ebtables.rule.<index>.t.to_destination – specify the destination MAC address [colon separated 6 hexadecimal value pairs].
ebtables.rule.<index>.t.dnat_target – specify the standard target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG].
After doing the dnat, the rule still has to give a standard target so ebtables knows what to do. The default target is ACCEPT. Making it CONTINUE could let you use multiple target extensions on the same frame. Making it DROP only makes sense in the BROUTING chain but using the redirect target is more logical there. RETURN is also allowed. Note that using RETURN in a base chain is not allowed.
mark
The mark target can be used in every chain of every table.
ebtables.rule.<index>.t.set_mark – specify the mark [number].
ebtables.rule.<index>.t.mark_target – specify the standard target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG].
After marking the frame, the rule still has to give a standard target so ebtables knows what to do. The default target is ACCEPT. Making it CONTINUE can let you do other things with the frame in other rules of the chain.
redirect
The redirect target will change the MAC target address to that of the bridge device the frame arrived on. This target can only be used in the BROUTING chain of the broute table and the PREROUTING chain of the nat table.
ebtables.rule.<index>.t.redirect_target – specify the standard target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG].
After doing the MAC redirect, the rule still has to give a standard target so ebtables knows what to do. The default target is ACCEPT. Making it CONTINUE could let you use multiple target extensions on the same frame. Making it DROP in the BROUTING chain will let the frames be routed. RETURN is also allowed. Note that using RETURN in a base chain is not allowed.
snat
The snat target can only be used in the POSTROUTING chain of the nat table. It specifies that the source mac address has to be changed.
ebtables.rule.<index>.t.to_source – specify the source MAC address [colon separated 6 hexadecimal value pairs].
ebtables.rule.<index>.t.snat_target – specify the standard target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG].
After doing the snat, the rule still has to give a standard target so ebtables knows what to do. The default target is ACCEPT. Making it CONTINUE could let you use multiple target extensions on the same frame. Making it DROP does not make sense, but you could do that too. RETURN is also allowed. Note that using RETURN in a base chain is not allowed.
arpnat
The arpnat target can only be used in the POSTROUTING and PREROUTING chain of the nat table. It is used instead of absolete Wireless Station Bridge application. It must be used for bouth POSTROUTING and PREROUTING chain to make Wireless Station Bridge working properly.
arpnat may be configured using such options:
ebtables.arpnat.expiration – specify the expiration time in seconds [number] Default: 25200 s.
ebtables.arpnat.debug – [enabled/disabled] Default: disabled.
ebtables.arpnat.bootpnat – [enabled/disabled/relay] Default: enabled.
ebtables.arpnat.pppoenat – [enabled/disabled] Default: enabled.
ebtables.rule.<index>.t.arpnat_target – specify the standard target [DNAT/ACCEPT/DROP/LOG/MARK/MASQUARADE/QUEUE/REDIRECT/REJECT/RETURN/SNAT/TOS/TTL/ULOG]. Default: ACCEPT
macvlan
The arpnat target can be used to add or remove 802.1Q VLAN tag. Example how to remove and add VLAN tag:
# ebtables -t nat -I PREROUTING -i ixp0 -j macvlan --untag 3 ebtables.rule.1.table=nat ebtables.rule.1.chain=PREROUTING ebtables.rule.1.in=ixp0 ebtables.rule.1.target=macvlan --untag 3 ebtables.rule.1.t.arpnat_target=ACCEPT # ebtables -t nat -I POSTROUTING -o ixp1 -j macvlan --tag 3 ebtables.rule.2.table=nat ebtables.rule.2.chain=POSTROUTING ebtables.rule.2.out=ixp1 ebtables.rule.2.target=macvlan --tag 3
Example:
ebtables.status=enabled ebtables.rule.1.table=nat ebtables.rule.1.chain=PREROUTING ebtables.rule.1.in=ms1 ebtables.rule.1.target=redirect ebtables.rule.1.dst=FF:FF:FF:FF:FF:FF ebtables.rule.1.dst.inverse=enabled ebtables.rule.2.table=nat ebtables.rule.2.chain=POSTROUTING ebtables.rule.2.out=ms1 ebtables.rule.2.target=snat ebtables.rule.2.t.to_source= 00:90:4B:C8:36:37 ebtables.rule.2.t.snat_target=ACCEPT ebtables.rule.3.table=broute ebtables.rule.3.chain=BROUTING ebtables.rule.3.in=eth0 ebtables.rule.3.protocol=ARP ebtables.rule.3.arp.mac_dst=00:90:4B:69:4A:95 ebtables.rule.3.arp.mac_dst.inverse=enabled ebtables.rule.3.target=DROP
SMTP Redirection
SMTP redirection is useful for authenticating wireless router setups. It allows customers to connect to access point and send out emails without the need to reconfigure their email client software. If AAA is enabled, only authenticated customers should be allowed to use SMTP redirection. SMTP redirection service intercepts SMTP connections on port 25 and redirects to a preconfigured SMTP server. It can be implemented by configuring the IP firewall. See example below.
Example:
# redirect e-mail for clients on ixp0 interface # 192.168.30.1 – WAN gateway # 195.14.162.78 – SMTP server firewall.status=enabled firewall.rule.1.status=enabled firewall.rule.1.target=SNAT firewall.rule.1.table=nat firewall.rule.1.chain=POSTROUTING firewall.rule.1.t.snat.source=192.168.30.1 firewall.rule.1.out=ixp1 firewall.rule.1.protocol=TCP firewall.rule.1.dport=25 firewall.rule.2.status=enabled firewall.rule.2.table=nat firewall.rule.2.chain=PREROUTING firewall.rule.2.in=ixp0 firewall.rule.2.dst=195.14.162.78 firewall.rule.2.protocol=TCP firewall.rule.2.dport=25 firewall.rule.2.target=ACCEPT firewall.rule.3.status=enabled firewall.rule.3.table=nat firewall.rule.3.chain=PREROUTING firewall.rule.3.protocol=TCP firewall.rule.3.in=ixp0 firewall.rule.3.dport=25 firewall.rule.3.target=DNAT firewall.rule.3.t.dnat.dst=195.14.162.78
White/Black List
The white and black access lists control user access to Web content through the Access Controller. The unauthenticated users will be allowed to access sites from white list while access to the sites from black list will be denied even for authenticated users.
There is a possibility to specify static and remote white/black list entries in the system configuration. The remote list will be retrieved from the specified remote locations. The static and remote entries will be refreshed automatically at the predefined time interval. The remote white/black is a simple text file, where each non-empty line is assumed to have one host. If the list has changed since the last update, all previously entered hosts will be overwritten by the new white/black list.
All available keys of the White/Black List are listed below:
access.<index>.status – specify the white/black list feature status [enabled/disabled]. Default: enabled.
access.verbose – specify the status weather the service daemon should be verbose or not [enabled/disabled]. Default: disabled.
access.<index>.devname – specify the interface name for which black/white policies should be applied. Instead of interface name, character ‘*’ can be specified and it stands for all interfaces.
access.<index>.update.period – specify the list update period in seconds [0-99999999]. To disable the periodical update, use 0. The accuracy of this setting is 30 seconds. Default: 3600.
access.<index>.resolv.period – specify the DNS resolving period for black/white list entries [0-99999999]. To disable periodical resolving, use 0. The accuracy of this setting is 30 seconds. Default: 300.
| | TThe DNS resolving period should be less than update period, otherwise it will be ignored and the resolving of DNS entries will be performed on the next update. |
access.<index>.whitelist.<index>.status – specify the white list status [enabled/disabled]. Default: enabled.
access.<index>.whitelist.<index>.url – specify the URL [string]. This URL is used as a link target for the UAM whitelist. When specified, system will extract the host, port and protocol from the URL. If specified, the only key access.<index>.whitelist.<index>.descr is necessary, all other keys will be ignored.
access.<index>.whitelist.<index>.descr – specify the current entry description string [string]. In case when URL is specified it can be used as a link text for that URL.
access.<index>.whitelist.<index>.host – specify the host name or host/network IP address [IP address or hostname string].
access.<index>.whitelist.<index>.netmask – specify the netmask, used to cover network range limited by host and netmask. Default: 255.255.255.255.
access.<index>.whitelist.<index>.port.from – specify the TCP or UDP port number [0-65535]. This denotes the first port in a range or the single port when access.<index>.whitelist.<index>.port.to is not specified.
access.<index>.whitelist.<index>.port.to – specify the TCP or UDP port number [0-65535]. This denotes the last port in a range.
access.<index>.whitelist.<index>.proto – specify the IP protocol number [0-255] or protocol keyword. The standard IP protocol as specified at http://www.iana.org/assignments/protocol-numbers. The value 0 is used to match any protocol. Default: 0
access.<index>.whitelist.location.<index>.status – specify the status of the white list location [enabled/disabled]. Default: enabled.
access.<index>.whitelist.location.<index>.url – specify the FTP or HTTP URL, which will be used as an additional source for white list entries [string].
access.<index>.blacklist.<index>.status – specify the black list status [enabled/disabled]. Default: enabled.
access.<index>.blacklist.<index>.url – specify the URL [string]. This URL is used as a link target for the UAM blacklist. When specified, system will extract the host, port and protocol from the URL. If specified, the only key access.<index>.blacklist.<index>.descr is necessary, all other keys will be ignored.
access.<index>.blacklist.<index>.descr – specify the current entry description string [string]. In case when URL is specified it can be used as a link text for that URL.
access.<index>.blacklist.<index>.host – specify the host name or host/network IP address [IP address or hostname string].
access.<index>.blacklist.<index>.netmask – specify the netmask, used to cover network range limited by host and netmask. Default: 255.255.255.255.
access.<index>.blacklist.<index>.port.from – specify the TCP or UDP port number [0-65535]. This denotes the first port in a range or the single port when access.<index>.blacklist.<index>.port.to is not specified.
access.<index>.blacklist.<index>.port.to – specify the TCP or UDP port number [0-65535]. This denotes the last port in a range.
access.<index>.blacklist.<index>.proto – specify the IP protocol number [0-255] or protocol keyword. The standard IP protocol as specified at http://www.iana.org/assignments/protocol-numbers. The value 0 is used to match any protocol. Default: 0
access.<index>.blacklist.location.<index>.status – specify the status of the black list location entry [enabled/disabled]. Default: enabled.
access.<index>.blacklist.location.<index>.url – specify the FTP or HTTP URL, which will be used as an additional source for black list entries [URL string].
Example:
#The 'white' entry, demonstrates specifying ip and port range. #Range 123.123.123.0/24 with port range [1024-65535] access.1.whitelist.1.descr=Address Range 123.123.123.0/24 with port range [1024-65535] access.1.whitelist.1.host=123.123.123.0 access.1.whitelist.1.netmask=255.255.255.0 access.1.whitelist.1.proto=TCP access.1.whitelist.1.port.from=1024 access.1.whitelist.1.port.to=65535
Static Bandwidth Control
The Static Bandwidth Control is used for customers that do not use RADIUS servers to authenticate users, but want to be able to control bandwidth statically:
- upload/download bandwidth per user (IP address) based on bandwidth configuration file
- in AP client operation, ability to set max up/down speed limits overall
- in AP client operation, ability to limit packet per second, upload bandwidth, and max sessions (connection limits)
bandwidth.status – specify status of the static bandwidth control [enabled/disabled]. Default: disabled.
bandwidth.manual – enable manual editing of the configuration file /etc/persistent/bandwidth/bandwidth.cfg [enabled/disabled]. Default: disabled. This means that if there is need to add new limitation (or modify existing limitations) per IP, there is no need to reload WILI device. It is possible to modify configuration file etc/persistent/bandwidth/bandwidth.cfg manually and reload script from the shell with command:
/sbin/bandwidth.sh start
Manual configuration file editing means that sysconf do not overwrites configuration file on device reload. Script reads data from /etc/persistent/bandwidth/bandwidth.cfg and generates rules.
Configuration file etc/persistent/bandwidth/bandwidth.cfg pattern for limiting per IP
Up_dev:Up_bandwidth:Down_dev:Down_bandwidth:ip:pps
Configuration file etc/persistent/bandwidth/bandwidth.cfg pattern for limiting per interface:
dev:bandwidth
Keys of the limitation per IP
bandwidth.<index>.up.dev – specify Upload interface name [string].
bandwidth.<index>.up.speed – specify the maximum upload speed in kbps [integer].
bandwidth.<index>.down.dev – specify Download interface name [string].
bandwidth.<index>.down.speed – specify the maximum download speed in kbps [integer].
bandwidth.<index>.ip – specify IP address of the client for which the traffic limitation will be set.
bandwidth.<index>.pps – specify packet per second [integer]. The packet per second value must be calculated according formula:
down.speed*1024/8/1000=pps
The download speed should be multiplied by 1024 to get download speed in bps (bits per second). Then this value should be divided by 8 to get value in Bps (bytes per second). Then this value should be divided by 1000 (the average of the packet size is 1000 bytes.
For example download speed is 1Mbps (1024 kbps), then we calculate PPS according formula:
1024*1024/8/1000 = 131
This means that minimum PPS value should be 131, otherwise the download process can be unexpected.
| | If device works as bridge, the name of the bridge port interface (ixp, eth, ath and etc) should be used, not bridge interface name (br0, etc). |
Keys of the limitation per interface:
bandwidth.<index>.devname – specify the interface of the WILI device for which the traffic limitation will be set.
| | Only the egress traffic can be limited per interface.. |
bandwidth.<index>.speed – specify the maximum egress traffic speed in kbps [integer].
| | The speed limitation per interface should be the sum of all speed limitations set per IP to that interface at the least.. |
According this Figure the configuration is:
bandwidth.1.up.dev=ixp1 bandwidth.1.up.speed=1024 bandwidth.1.down.dev=ath0 bandwidth.1.down.speed=1024 bandwidth.1.ip=192.168.0.1 bandwidth.1.pps=131
According this configuration the bandwidth configuration file /etc/persistent/bandwidth/bandwidth.cfg will be generated:
ixp1:1024:ath0:1024:192.168.0.1:131
The configuration of the limitation per interface:
bandwidth.2.devname=ath0 bandwidth.2.speed=10240
The bandwidth configuration file /etc/persistent/bandwidth/bandwidth.cfg will be generated:
ath0:10240
Management Access Configuration
This section describes user and administrative access settings, configuration of SSH, HTTP(S), SNMP servers, RCMS configuration, configuration of system users.
Skins
The WILI-S device web management starting firmware version 3.54 is based on the skins. Skins influence not only on device appearance but also on device functionality.
Indicate the active skin on the device using configuration file keys:
skin.active – specify the name of the skin [string]. This may be only a skin name or a full path to skin archive.
skin.version – specify the version of the skin [string].
There is a relation between Skin configuration keys and version.txt file (found in skin archive) with meta information about the skin.
| configuration key | version.txt key |
|---|---|
| skin.active | title |
| skin.version | version |
Example:
skin.active=wili-o skin.version=0.1.11311
SSH Server
The SSH server is enabled by default on the WILI-S:
sshd.status – specify the SSH server status [enabled/disabled]. Default: enabled.
sshd.port – specify the port for incoming SSH connections [0-65535]. Default: 22.
sshd.keepalive - specify the time in seconds at which the ping will be transmitted to the client to ensure continuity of connection [integer]. Default: 60.
sshd.auth-key - specify SSH key authentication method [dss/rsa].
Example:
# enable SSH server, these are the defaults sshd.status=enabled sshd.port=22
HTTP(S) Server
This section provides the description of the HTTP and HTTPS services configuration that makes ability to manage the WILI-S based device through a Web browser.
All available keys of the HTTP(S) configuration are listed below:
httpd.status – specify the HTTP(S) service status [enabled/disabled].
httpd.port.http – specify the TCP port for incoming HTTP requests [0-65535]. Default: 80. The value 0 will disable access trough HTTP (not HTTPS!).
httpd.port.https – specify the TCP port for incoming HTTPS requests [0-65535]. Default: 443.
httpd.port.admin – specify the TCP port for incoming HTTPS requests to Web configuration interface [0-65535]. Default: 444.
httpd.certificate.file – specify the server certificate file name required for HTTPS operation [file name with .pem extension]. It is treated as file name relative to /etc/persistent/public_cert/. Certificate file should be in PEM format.
httpd.certificate.key – specify the key file name for the server certificate required for HTTPS operation [file name with .key or.p12 extension]. It is treated as file name relative to /etc/persistent/private_key/. If certificate file is specified in PCKS#12 format (.p12 extension), it includes both the certificate and the key. In this case httpd.certificate.file value will be ignored.
httpd.certificate.key.password – specify the password for key decryption [string]. Only used if the certificate key is encrypted.
httpd.servername – specify the server name [string]. If this value is specified - HTTPS server will use it when generating self-referencing URL's, otherwise server will use client supplied IP address and port. Default: empty.
httpd.external.status – specify the external Web portal feature status [enabled/disabled]. Default: disabled.
httpd.external.secret – specify the external Web portal shared secret [string]. Default: empty.
The configuration keys for server performance tuning and troubleshooting:
httpd.backlog – specify the maximum pending connections HTTP server accepts [0-65535]. Default: 100.
httpd.max.request – specify the maximum size for POST requests [0-65535]. Default: 51200.
httpd.max.connections – specify the maximum requests to be served concurrently [0-65535]. Default: 50.
httpd.max.idletime – specify the maximum session idle time (in seconds) before session is considered inactive and automatically destroyed [integer]. Default: 1800 seconds.
httpd.verbose – specify for additional logging information. Default: disabled.
Example:
# setup HTTP(S) server httpd.status=enabled httpd.port.http=80 httpd.port.https=443 httpd.port.admin=444 httpd.certificate.file=/usr/etc/httpd/server.pem httpd.certificate.key=/usr/etc/httpd/key.pem httpd.backlog=100 httpd.external.status=disabled httpd.max.connections=50 httpd.max.request=51200 httpd.verbose=disabled
SNMP Agent
SNMP is the standard network management protocol. The Hotspot-in-a-Box has a built-in SNMP agent. To communicate with SNMP agent you must configure SNMP communities and identifiers on both SNMP manager and SNMP agent. The WILI-S supports all three SNMP protocol versions (v1,v2c and v3) in read-only mode.
All available keys of the SNMP configuration are listed below:
snmpd.status – specify the SNMP service status on WILI-S device [enabled/disabled]. With this service enabled the device acts as the SNMP agent and can be monitored using SNMP.
snmpd.name – specify an administratively assigned name for this managed node [string]. By convention, this is the node’s fully qualified domain name.
snmpd.location – specify the physical location of this node (eg., `telephone closet, 3rd floor') [0-99 string].
snmpd.contact – specify the textual identification of the contact person for this managed node, together with information on how to contact this person [0-99 string].
| | SNMP community name is only used in SNMP version 1 and version 2c. |
snmpd.rocommunity – specify the read-only community name [1-32 string].
| | SNMP user name and password are used in SNMP version 3. |
snmpd.rouser – specify the user name for read-only SNMPv3 access [1-32 string].
snmpd.ropassword – specify the password for read-only SNMPv3 access [8-32 string].
Setup the Trap messages sending. The system sends a Cold Start trap when it starts up. If enabled, it also sends traps on authentication failures. Multiple trapsink, trap2sink and informsink hosts may be specified. Use trap2sink to send SNMPv2 traps and informsink to send inform notifications.
snmpd.traps.status – specify the trap message sending status [enabled/disabled]. Default: enabled.
snmpd.auth.traps – specify the generation of authentication failure traps status [enabled/disabled]. Default: disabled.
snmpd.trap.community – specify the community name for the SNMP trap message [string]. This community will be used in trap messages to authenticate to the SNMP manager [community string].
snmpd.trapsink. <index>.host – specify the host IP address that will receive the SNMPv1 traps [IP address].
snmpd.trapsink. <index>.community – specify the community name for SNMPv1 traps [string]. If community is not specified, the snmpd.trap.community will be used.
snmpd.trapsink. <index>.port – specify the port number the SNMPv1 trap messages should be send through [0-65535]. Default: 162
snmpd.trap2sink. <index>.host – specify the host IP address that will receive the SNMPv2 traps [IP address].
snmpd.trap2sink. <index>.community – specify the community name for SNMPv2 traps [string]. If community is not specified, the snmpd.trap.community will be used.
snmpd.trap2sink. <index>.port – specify the port number the SNMPv2 trap messages should be send through [0-65535]. Default: 162
SNMP notifications can be sent as traps or inform requests. Traps are unreliable because the receiver does not send any acknowledgment when it receives a trap. The sender cannot determine if the trap was received. However, an SNMP manager that receives an inform request acknowledges the message with an SNMP response PDU. If the manager does not receive an inform request, it does not send a response. If the sender never receives a response, the inform request can be sent again. Thus, informs are more likely to reach their intended destination.
snmpd.informsink. <index>.host – specify the host IP address on which the inform requests will be enabled [IP address].
snmpd.informsink. <index>.community – specify the community name for inform requests [string]. If community is not specified, the snmpd.trap.community will be used.
snmpd.informsink. <index>.port – specify the port number the inform requests should be send through [0-65535]. Default: 162
Example:
# setup SNMP agent snmpd.status=enabled snmpd.contact=My system contact snmpd.location=My system location snmpd.name=My system snmpd.rocommunity=public snmpd.ropassword=secret snmpd.rouser=user snmpd.traps.status=enabled snmpd.auth.traps=enabled snmpd.trap.community=community_string snmpd.trap2sink.1.host=192.168.2.21 snmpd.trap2sink.1.port=162 snmpd.trapsink.1.host=192.168.2.21 snmpd.trapsink.1.port=162
System Users
You can configure up to 50 system users on the WILI-S. All users will have read-write (administrator) permissions. If there are no users provided, the default user will be created with these credentials:
- username: admin
- password: encrypted: "admin01"
users.status – specify the status of the users plugin [enabled/disabled]. Default: disabled.
users.<index>.status – specify current user entry status [enabled/disabled]. Default: enabled.
users.<index>.name – specify the username for system access [string].
users.<index>.password – specify the password for system access [string]. The password must be encrypted using standard C library crypt() function.
users.<index>.shell – string value, shell executed for the user (i.e. "/bin/sh").
users.<index>.uid – specifies the user's unique numeric ID. The value is a unique decimal integer string. Default: 0.
users.<index>.gid – specifies the group ID. The value is a unique decimal integer string. Default: 0.
Example:
users.status=enabled users.1.name=admin users.1.password=oHSl3yqR.t1uQ users.1.status=enabled # users.2.name=admin2 users.2.shell=/bin/sh users.2.password=oHSl3yqR.t1uQ users.2.status=enabled # users.3.name=admin3 users.3.shell=/ users.3.password=oHSl3yqR.t1uQ users.3.status=enabled # users.4.name=admin4 users.4.shell=/sbin/zebra users.4.password=oHSl3yqR.t1uQ users.4.status=enabled # users.5.name=admin5 users.5.shell=/etc/persisent/rc.local users.5.password=oHSl3yqR.t1uQ users.5.status=enabled
Just because / is a directory (for admin3 user) default /bin/clish will be selected as default shell. Just because /etc/persisent/rc.local is not executable (lacking +x permisions on file, in my case) also /bin/clish is used by default for admin5 user too.
If users.X.shell parameter is regular file, has execute permission then user shell will be tyhe program specified.
Sysconf will generate /etc/passwd file:
admin:oHSl3yqR.t1uQ:0:0:Administrator:/:/bin/clash admin2:oHSl3yqR.t1uQ:0:0:Administrator:/:/bin/sh admin3:oHSl3yqR.t1uQ:0:0:Administrator:/:/bin/clish admin4:oHSl3yqR.t1uQ:0:0:Administrator:/:/sbin/zebra admin5:oHSl3yqR.t1uQ:0:0:Administrator:/:/bin/clish
User Authentication
There is a certain need to authenticate/authorize (and optionally account) local device users (administrators) through centralized systems, eg. using TACACS+ servers. User authentication/authorization is controlled using Pluggable Authentication Modules (PAM).
Services that require user authentication (Web server, SSH server) may be configured to use specific PAM configuration instead of locally stored password file (which being traditional authentication method is also transparently handled by PAM, however it does not require additional configuration). Each service may have several modules of four module types:
- auth – authentication; it establishes that the user is who they claim to be, by instructing the application to prompt the user for a password or other means of identification;
- account – authorization and/or other aspects of account management; it is typically used to restrict/permit access to a service based on the time of day, currently available system resources (maximum number of users), etc.;
- session – authenticated user session startup and ending; this module is associated with doing things that need to be done for the user before/after they can be given service like logging of information concerning the opening/closing of some data exchange with a user;
- password – password changing; this last module type is required for updating the authentication token associated with the user.
There may be more than one module of the same type - in that case, modules are executed in specified order. Execution flow of one-type modules can be controlled by control flag. Currently supported control flags:
- required – module is required for success, failure is delivered only after all modules have been executed;
- requisite – almost the same as required, however failure is delivered immediately after failing module of this control type;
- sufficient – it is enough to have only one succeeding module of the same control type;
- optional – module may fail without any influence on module execution chain.
Supported modules:
- pam_unix.so (for types: auth, account, session, password) – standard Unix authentication module; it uses standard calls from the system's libraries to retrieve and set account information as well as authentication; usually this is obtained from the /etc/passwd and the /etc/shadow file as well if shadow is enabled;
- pam_deny.so (for types: auth, account, session, password) – used to deny access; it always indicates a failure to the application through the PAM framework;
- pam_warn.so (for types: auth, password) – used for logging information about a proposed authentication or application to update a password;
- pam_tacplus.so (for types: auth, account, session) – used for authentication using TACACS+ protocol.
Module pam_tacplus.so supports following options (options should be specified after module name):
- debug (for types: auth, account, session) – output debugging information using syslog service (see section Syslog Configuration); note that this also includes passwords;
- encrypt (for types: auth, account, session) – encrypt TACACS+ packets; you should use this always in normal operations;
- secret=STRING (for types: auth, account, session) - secret key used to encrypt/decrypt packets sent/received from the server;
- server=HOSTNAME or server=IP_ADDR (for types: auth, account) – can be specified more than once, adds a TACACS+ server to the servers list;
- firsthit (for type: auth) – if multiple servers are supplied, pam_tacplus will try to authenticate the user on all servers until it succeeds or all servers are queried;
- acct_all (for type: session) – if multiple servers are supplied, pam_tacplus will send accounting start/stop packets to all servers on the list;
- service (for types: auth, account) – TACACS+ service for authorization and accounting (eg. system, network, shell);
- protocol (for types: auth, account) – TACACS+ protocol for authorization and accounting (eg. lcp).
PAM can be configured using the following configuration keys:
pam.status – specify the PAM service status [enabled/disabled]. Default: disabled. If PAM is disabled a default PAM configuration will be used. Default configuration allows only UNIX logins. It is stored on a read-only flash memory.
pam.<index>.status – specify the particular service status [enabled/disabled]. Default: enabled.
pam.<index>.name – specify the name of the service [web/sshd/OTHER]. Web and sshd are names for administrative access through Web and SSH. OTHER is a special service name, which matches any non-configured service.
pam.<index>.<auth/account/session/password>.<index>.status – specify the particular module status [enabled/disabled]. Default: enabled.
pam.<index>.<auth/account/session/password>.<index>.module – specify the module library name with parameters [pam_unix.so/pam_deny.so/pam_warn.so/pam_tacplus.so].
pam.<index>.<auth/account/session/password>.<index>.control – specify the control flag of the module [required/requisite/sufficient/optional].
The configuration file snapshot for an example described above should be like this:
Example:
# a more complex example of authentication setup for different applications # and secure defaults: authentication via Web uses TACACS+ only # pam.status=enabled pam.1.name=web pam.1.auth.1.control=required pam.1.auth.1.module=pam_tacplus.so server=111.111.111.111 secret=SECRET encrypt pam.1.account.1.control=required pam.1.account.1.module=pam_tacplus.so secret=SECRET encrypt service=system protocol=lcp pam.1.session.1.control=required pam.1.session.1.module=pam_tacplus.so server=111.111.111.111 secret=SECRET-124 encrypt service=system protocol=lcp pam.1.password.1.control=required pam.1.password.1.module=pam_deny.so # # SSH access uses TACACS+ with failure fallback to # locally stored passwords (as described above in configuration file snapshots) # pam.2.name=sshd pam.2.auth.1.control=sufficient pam.2.auth.1.module=pam_tacplus.so server=192.168.0.111 secret=verysecretword encrypt pam.2.auth.2.control=sufficient pam.2.auth.2.module=pam_unix.so pam.2.account.1.control=sufficient pam.2.account.1.module=pam_tacplus.so secret=verysecretword encrypt service=shell protocol=lcp pam.2.account.2.control=sufficient pam.2.account.2.module=pam_unix.so pam.2.session.1.control=sufficient pam.2.session.1.module=pam_tacplus.so server=192.168.0.111 secret=verysecretword encrypt service=shell protocol=lcp pam.2.session.2.control=sufficient pam.2.session.2.module=pam_unix.so pam.2.password.1.control=required pam.2.password.1.module=pam_deny.so
RCMS Client
The RCMS client is a part of the management system. This management system provides auto-provisioning of WILI-S configuration files. RCMS agent can:
- Send heartbeat notifications with standard and optional information to the RCMS server
- Report device's extended status configuration to the RCMS server
- Report device's current configuration to the RCMS server
- Download and apply/merge full or partial configuration from the RCMS server
- Download and update device's firmware from the RCMS server
- Gather and sent networks usage or selected statistics from SNMP to RCMS server
The RCMS agent starts at the very end of the system startup process. It reads its configuration directly from the system configuration file.
All available keys of the RCMS Agent are listed below:
rcms.status – specify the RCMS client status [enabled/disabled]. Default: disabled.
rcms.device.name – specify friendly name to identify your device (string, e.g. home AP) [device name]. Device friendly name is used in RCMS server, device skin, device statistics. If no RCMS device name is specified, SNMP name will be used. If no SNMP name is specified, “no-name” will be displayed as friendly name.
rcms.connection.persistent – specify to make a persistent connection to the RCMS server [enabled/disabled]. If enabled, the connection to the RCMS server will be kept persistent; if disabled, the connection will be established and subsequently closed after all server responses are processed for every heartbeat notification. Default: disabled.
rcms.connection.timeout – specify the maximum number of seconds to wait for a response from the RCMS server before considering the connection as having timed out [number]. Default: 60.
rcms.multicast.group – specify the IP multicast group address to listen on during automatic RCMS server discovery. Default: 224.0.6.128. It is not recommended to change the default multicast group address, so it is best to not include this setting in the configuration file at all.
rcms.multicast.port – specify the port to bind to when listening on an IP multicast group during automatic RCMS server discovery [1-56635]. Default: 45144. It is not recommended to change the default multicast port, so it is best to not include this setting in the configuration file at all.
rcms.multicast.devname – specify the name of the interface to bind to when listening on an IP multicast group during automatic RCMS server discovery. The interface is optional, but it is highly recommended to define it. If no interface is provided, RCMS agent will try to bind on all interfaces. This will succeed only if default or multicast route is configured on the system. Otherwise RCMS agent will keep trying to bind and report errors to system log.
rcms.path.sysconf – specify the full path to the sysconf tool [string]. Default: /sbin/sysconf.
rcms.path.fwupdate – specify the full path to the firmware update tool [string]. Default: /sbin/fwupdate.
rcms.heartbeat.url – specify the URL of the RCMS server or stand-alone WILI Scout that heartbeat notifications are sent to (and, subsequently, server responses are read from and processed) [URL string]. If you are using WILI-MESH product and want
| | For stand-alone WILI Scout specify server URL, where the application is running. |
rcms.heartbeat.interval – specify the interval, in seconds, between subsequent heartbeat notifications [number]. Default: 30.
rcms.auth.certificate – specify the name of RCMS client certificate PKCS12 file [file name]. It should be stored in /etc/persistent/private_key/ directory on device.
rcms.auth.cert_passwd – specify the password for certificate PKCS12 file [string]. Only used if the certificate key is encrypted.
rcms.auth.cert_uri – specify the URI to issue a GET request to, to have the client certificate transferred to the server [string]. Apache 2 Web server does not support client authentication if the first request sent by the client is a POST request, which is exactly what RCMS agent uses to send heartbeat requests. Therefore, the RCMS agent issues a GET request to this URI immediately after opening the connection, in HTTPS mode. Default value is rcms.heartbeat.url with ".cert" appended.
rcms.auth.identifier – specify the unique identifier used for client authentication [number].
Some information for RCMS agent can be provided by SNMP agent. The following keys require SNMP to be configured (see section SNMP Configuration).
rcms.statistics.interval – specify the heartbeat interval, in seconds, between statistics collection. Default: 300 (sec).
rcms.heartbeat.network_usage – controls if gathered network usage statistics should be send to RCMS server [enabled/disabled]. Default: disabled. Read more about these statistics in section Network Usage Statistics. statsd.status key should be enabled also in order to gather network usage statistics on device. The RCMS heartbeat interval for network usage statistics can be specified using rcms.statistics.interval key (see key description above).
rcms.verbose – switch on debug messages of RCMS daemon [enabled/disabled]. Default: disabled. Debug messages will be send to syslog.
rcms.heartbeat.optional.<index>.status – status of sending received specific statistics from SNMP to RCMS server [enabled/disabled]. Default: disabled.
rcms.heartbeat.optional.<index>.name – specify statistic name for easier statistics identification [string].
rcms.heartbeat.optional.<index>.oid – specify the local SNMP OID to gather the information from [SNMP OID]. This key is used to setup the device to gather a certain statistics and send it to the RCMS server where they will be graphically displayed. The default configuration includes keys with 3 statistics SNMP OIDs: system uptime, 5min average of CPU load and amount of free memory.
| | Use your favorite SNMP MIB browser to find out an OID number of the particular statistics. |
The interface name placeholder may be used within SNMP OID value. The placeholder is used to convert interface name to the current interface index in the system. The RCMS client will check for correct index by interface name on each statistics update. The syntax of the interface name placeholder is:
$if_index(<interface name>)
The example shows keys of the eth0 interface TX errors statistics:
rcms.heartbeat.optional.1.name=eth0_ifOutErrors
rcms.heartbeat.optional.1.oid=.1.3.6.1.2.1.2.2.1.20.$if_index{eth0}
rcms.heartbeat.mesh_statistics – enable statistics for WILI MESH device [enabled/disabled]. This key controls if MESH statistics should be collected and send with heartbeat.
| | For more information about how to setup specific WILI Scout statistics refer to section WILI Scout. |
Example:
## Enable RCMS Service # rcms.status=enabled # Setup RCMS agent rcms.connection.persistent=no rcms.connection.timeout=30 rcms.heartbeat.interval=30 rcms.heartbeat.url=http://195.14.175.138/rcms/heartbeat.php # Report system uptime to server, for statistics collecting rcms.heartbeat.optional.1.name=uptime rcms.heartbeat.optional.1.oid=.1.3.6.1.2.1.1.3.0 # Report 5 minute average of CPU load to server, for statistics collecting rcms.heartbeat.optional.2.name=cpu_load_5 rcms.heartbeat.optional.2.oid=.1.3.6.1.4.1.2021.10.1.5.2 # Report amount of free memory to server, for statistics collecting rcms.heartbeat.optional.3.name=mem_free rcms.heartbeat.optional.3.oid=.1.3.6.1.4.1.2021.4.11.0 # Report amount of TX errors of the eth0 interface rcms.heartbeat.optional.4.name=eth0_ifOutErrors rcms.heartbeat.optional.4.oid=.1.3.6.1.2.1.2.2.1.20.$if_index{eth0}
Network Usage Statistics
Configure this setting to gather and record network usage statistics if you want to see associated wireless clients on device. Gathered information could be used for WILI SKIN’s statistics and for RCMS server.
Gathered network usage statistics consists of:
- MAC address of the client
- Device name
- Connection time (yyyy-mm-dd hh:mm)
- Disconnection time (for recently disassociated clients, the same format as connection time)
- RX bytes
- TX bytes
- SSID
statsd.status – enable network usage statistics gathering and recording on device [enabled/disabled]. Default: disabled. If you want to use gathered statistics in RCMS server, see rcms.heartbeat.network_usage key description.
statsd.verbose – switch on debug messages of statistics (statsd) daemon [enabled/disabled]. Default: disabled.
IP Multicasting Based Device Discovery
| | Use WILI Discovery application, integrated in WILI Scout utility to find WILI devices in your network. |
IP Multicast discovery will allow to discover WILI devices within reach of a single multicast packet. Multicast discovery is listening for multicast request packet and will respond with following information about device:
- WAN interface MAC,
- WAN interface IP address,
- device firmware version;
Enable the multicast discovery with the following configuration key:
discoveryd.status – specify the status of the device multicast discovery [enabled/disabled]. Default: disabled.
| | If WAN interface is on a bridge, the device will return IP address 0.0.0.0. |
WILI Discovery application is integrated into the WILI Scout Java utility. Launch the WILI Discovery application and the list of the existing WILI devices in your network will be displayed:
Device IP address – displays the IP address of the interface, which sent reply to WILI discovery request.
WAN IP address – displays the WAN IP address of the WILI device.
WAN Hardware address – displays the MAC address of the WAN interface of the WILI device.
Firmware version – displays the current firmware version of the WILI device.
Scan – click to find WILI devioces on the network.
Clear – click to clear the list of the WILI devices.
Exit – click to exit the WILI Discovery application.
System Services Configuration
This section describes system settings: device clock synchronization, NTP configuration and device message logging features.
Manual Clock regulation
To set the device’s internal clock, use these keys for configuration:
date.status – specify the manual clock status [enabled/disabled]. Default: disabled.
date.manual – specify the date value [MMDDhhmmYYYY.SS]. The time stamp format is:
- MM - month (01-12)
- DD - day of month (01-31)
- hh - hour (00-23)
- mm - minute (00-59)
- YYYY - year (1970-2037)
- SS - seconds (00-59)
date.lastknowntime.status – specify the last known time feature status [enabled/disabled]. When this feature is enabled, system will save and restore the clock settings after reboot using /etc/persistent/lastknowntime file. This should be used together with NTP service - the system clock will be set to the last reboot time if no NTP servers are available. Default: disabled.
date.timezone – specify the timezone information [string]. The timezone string is one of special formats:
- std offset
- std offset dst [offset],start[/time],end[/time]
The first format is used when there is no daylight saving time in the local timezone. The std string specifies the name of the time zone and must be three or more alphabetic characters. The offset string immediately follows std and specifies the time value to be added to the local time to get Coordinated Universal Time (UTC). The offset is positive if the local time zone is west of the Prime Meridian and negative if it is east. The hour must be between 0 and 24, and the minutes and seconds 0 and 59.
The second format is used when there is daylight saving time. There are no spaces in the specification. The initial std and offset specify the standard time zone, as described above. The dst string and offset specify the name and offset for the corresponding daylight savings time zone. If the offset is omitted, it defaults to one hour ahead of standard time.
The start field specifies when daylight savings time goes into effect and the end field specifies when the change is made back to standard time. These fields may have the following formats:
- Jn This specifies the Julian day with n between 1 and 365. February 29 is never counted even in leap years.
- n This specifies the Julian day with n between 1 and 365. February 29 is counted in leap years.
- Mm.w.d This specifies day d (0 <= d <= 6) of week w (1 <= w <= 5) of month m (1 <= m <= 12). Week 1 is the first week in which day d occurs and week 5 is the last week in which day d occurs. Day 0 is a Sunday.
The time fields specify when, in the local time currently in effect, the change to the other time occurs. If omitted, the default is 02:00:00.
Example 1:
# setup the device clock to year 2006, January 16th, 14:32:12, GMT+2 date.status=enabled date.lastknowntime.status=disabled date.manual=011614322006.12 date.timezone=GMT+2
Example 2:
# setup the lastknowntime function: date.status=enabled date.lastknowntime.status=enabled date.timezone=GMT-2
NTP Client
The NTP (Network Time Protocol) service is used to synchronize the clock of the WILI-S device with a selected time server.
| | Up to 16 NTP servers can be configured on the WILI-S based device. |
All available keys of the NTP client are listed below:
ntpd.status – specify the status for NTP service [enabled/disabled]. Default: disabled.
ntpd.<index>.status – specify the status of the particular NTP server [enabled/disabled].
ntpd.<index>.server – specify the trusted NTP server IP address or hostname for synchronizing time with [IP address or hostname string].
Example:
ntpd.status=enabled ntpd.1.status=enabled ntpd.1.server=192.53.103.103
Trace System
The trace system functionality provides debug information for system services and protocols should a malfunction occur. The trace system capability can help operators to locate mis-configurations and system errors.
The trace system functionality is controlled with the key:
sysconf.trace – specify the trace system status [enabled/disabled]. Default: disabled.
Syslog
You can configure device to save log messages to the local or remote file using standard syslog facility.
All available keys of the Syslog service are listed below:
syslog.status – specify the status of syslog service [enabled/disabled].
syslog.file – specify the logged information file name with the path [string]. Default: /var/log/messages.
syslog.file.umask – specify the umask for the output file [numbers]. Default: 077
syslog.file.msg.level – specify the message level you need to trace. The level determines the importance of the message and the volume of messages generated by the device. The levels are in order of increasing importance [emerg/alert/crit/err/warning/notice/info/debug]. Default: info.
You can configure the device to send system log messages to a remote server:
syslog.fwd.status – specify the remote syslog server status [enabled/disabled]. Default: disabled.
syslog.fwd.host.ip – specify the remote host IP address where syslog messages will be sent.
syslog.fwd.host.port – specify the port to which syslog messages will be forwarded [0-65535]. Default: 514.
syslog.fwd.msg.level – specify the message level that will be send to the remote syslog server. The levels are in order of increasing importance [emerg/alert/crit/err/warning/notice/info/debug] Default: info.
| | Up to 4 backup syslog hosts can be configured on the device. |
syslog.fwd.backup.<index>.status – specify the status of backup syslog host [enabled/disabled]. Default: enabled.</code>
syslog.fwd.backup.<index>.host.ip – specify the backup host IP address where syslog messages will be send to.</code>
syslog.fwd.backup.<index>.host.port – specify the port to which syslog messages will be forwarded [0-65535]. Default: 514.
syslog.rotate.status – specify the rotation of logged message status [enabled/disabled]. Default: enabled.
syslog.rotate.at.size – specify the log size (in bytes) after which the rotation should start [1-9223372036854775807]. Default: 102400.
syslog.rcms.alarm.status – specify the status of RCMS alarm reporting [enabled/disabled]. Default: enabled.
syslog.rcms.alarm.level – specify the log level that is the treshold for alarms [emerg/alert/crit/err/warning/notice/info]. Default: crit. Messages that have this level or any level of greater importance are considered alarms and are reported to the RCMS agent.
Example:
# With such configuration all messages that have level equal or higher than # warning will be logged locally. Messages that have level equal or higher # than critical will be logged on the remote syslog server # 192.168.2.150:514, or to the backup server 192.168.2.152:514. The log # message will be rotated when the syslog file will reach the 102400 bytes # size. All messages that have level equal or higher importance than # critical will be considered alarms and will be reported to the RCMS # agent. syslog.status=enabled syslog.file=/var/log/messages syslog.file.msg.level=warning syslog.file.umask=077 syslog.fwd.status=enabled syslog.fwd.backup.1.status=enabled syslog.fwd.backup.1.host.ip=192.168.2.152 syslog.fwd.backup.1.host.port=514 syslog.fwd.host.ip=192.168.2.150 syslog.fwd.host.port=514 syslog.fwd.msg.level=crit syslog.rcms.alarm.status=enabled syslog.rcms.alarm.level=crit syslog.rotate.status=enabled syslog.rotate.at.size=102400
IP Logging
IP logging function logs authenticated client station connection requests.
| | Be sure that syslog feature is configured properly before enabling IP logging feature. |
The configuration file key of the IP Logging feature is:
ulogd.status – specify the IP logging status [enabled/disabled]. Default: disabled.
ulogd.loglevel - specify the message level you need to log. The level determines the importance of the message and the volume of messages generated by the device [debug|info|notice|err|crit]. Default: notice.
When IP logging is enabled the system continuously scans the activity of authenticated users and logs new TCP connection attempts to syslog. Each new connection is logged in the following format:
- Time stamp (time when connection was attempted).
- Source IP, source port.
- Destination IP, destination port.
- Client network card MAC address (if it can be determined).
- WAN interface IP address.
- Username
Example:
# The following configuration snippet illustrates how we can setup IP logging on a router. Please be aware that ULOGD is targeted at router (NAT'ed) platform only and will not work on a simple AP. firewall.rule.5.table=nat firewall.rule.5.chain=POSTROUTING firewall.rule.5.protocol=TCP firewall.rule.5.tcpflags=SYN,RST,ACK SYN firewall.rule.5.target=ULOG firewall.rule.5.t.ulog.nlgroup=2 firewall.rule.5.t.ulog.prefix=non-nat # Masquerade rules (customize to your needs!) firewall.rule.6.table=nat firewall.rule.6.chain=POSTROUTING firewall.rule.6.out=ixp1 firewall.rule.6.target=MASQUERADE firewall.rule.7.table=mangle firewall.rule.7.chain=POSTROUTING firewall.rule.7.protocol=TCP firewall.rule.7.tcpflags=SYN,RST,ACK SYN firewall.rule.7.target=ULOG firewall.rule.7.t.ulog.nlgroup=2 firewall.rule.7.t.ulog.prefix=with-nat # Enable ULOGD service ulogd.status=enabled
Forker Daemon
The Forker is a process management system used for starting processes on the device. This daemon is used for internal purposes and must be always enabled.
The configuration file keys of the Forker daemon are:
forker.status – specifies the status of the Forker daemon [enabled/disabled].
forker.verbose – specify the verbose status of the Forker daemon [enabled/disabled].
Sysctl Plugin
The plugin allows to control kernel/sysctl parameters exported via /proc. Use the following keys to contro sysctl plugin
sysctl.status – specify the status of the sysctl plugin [enabled/disabled].
sysctl.xxx – specify the value of the command. The symbols xxx is part of the key representing path to the file under /proc. Path symbols '/' must be replaced with '.'. Possible keys can be extracted with command:
find /proc/sys -type f | sed 's/\/proc\//sysctl./g' | sed 's/\//\./g'
Example:
sysctl.status=enabled sysctl.sys.net.ipv4.ip_forward=1
System Modules
These keys are used to load optional system modules.
modules.status - specify status of the system module plugin [enabled/disabled].
modules.<index>.status - specify status of the particular module [enabled/disabled].
modules.<index>.name - specify name of the particular module [string].
modules.<index>.arguments - specify an argument of the particular module.
Example:
# user want to specify hashsize for ip_conntrack. modules.status=enabled modules.<index>.status=enabled modules.<index>.name=ip_conntrack modules.<index>.arguments=hashsize=8192
MESH
| | MESH functionality module is available only for WILI-MESH product. Please check our on-line store to obtain this product. |
WILI MESH network control protocol is based on extensions to IEEE 802.11 protocol for signaling, mesh path selection and topology change detection. WILIBOX MESH transport layer based on OSI layer 2 bridging is transparent for all IP and non IP protocols and brings no overhead to wireless data stream. Traffic between client and Mesh Node and between Nodes can be secured by 802.11i (WPA2) supporting pre-shared and dynamic key modes and 802.1x authentication. 802.1Q and 802.1P tags are preserved in intra-mesh transport. IEEE 802.11e standard implementation assures QoS between network elements.
| | For information on WILI MESH network, its topology and WILI MESH configuration using GUI skin please refer to WILI-MESH Skin UG. |
There are two types of mesh network elements: Mesh Node and Mesh Gateway. Mesh Node provides data transport, monitoring and AP functionality for connecting regular 802.11 wireless clients to the network. Mesh node connected to wired backbone will function as Mesh Gateway. Beside Node functionality Mesh Gateway can act as bridge, router, firewall and access controller.
Mesh Node software is logically subdivided into components: Mesh Set and Service Set. Mesh Set selects optimal path to the gateway and provides mesh backhaul connectivity. Service Set is dedicated to service provisioning for 802.11 clients (notebook computers, PDAs, Wi-Fi phone sets, etc.). It covers the functionality of comprehensive high-grade 802.11 access point including MBSSID (Virtual APs) with individual security settings.
The following mesh configuration keys are used to configure the WILI mesh elements:
mesh.status – specify the status of WILI Mesh [enabled/disabled].
mesh.ssid – specify the SSID of the Mesh Node [string, 0-32 characters].
mesh.ssid.is_hex – specify the status of SSID converting to HEX format [enabled/disabled]. For example if SSID string "00552235" (8 symbols) will be converted into HEX format, the real value would be 0x00 0x55 0x22 0x35 (4 HEX symbols)
mesh.ssid=00552235 mesh.ssid.is_hex=enabled
mesh.uplink.<index>.status – specify status of the Uplink [enabled/disabled]. Default: enabled. Uplink is used to connect to other Mesh node.
mesh.uplink.<index>.devname – specify the interface name of the Uplink [string].
mesh.downlink.<index>.status – specify status of the Downlink [enabled/disabled]. Default: enabled. Downlink accepts other mesh nodes connection.
mesh.downlink.<index>.devname – specify the interface name of the Downlink [string].
mesh.downlink.<index>.kill_delay - delay clients disconnect by a configured time (in seconds).
The configurable coefficients for the best path algorithm of the WILI mesh:
mesh.pos_weight – specify the coefficient for path length [0-255].
mesh.min_rate_weight – specify the coefficient for minimal rate over whole path [0-255].
mesh.max_tx_load_weight – specify the coefficient for radio load over whole path [0-255].
mesh.min_hop_threshold – specify the threshold coefficient in percents that arbitrates if the node's Uplink should connect to alternative Best Path [1-100]. The default threshold value 20% means that new Best Path value should be bigger by 20% in order to switch from the current one.
| | Other mesh network settings such as network security, access and management should be configured by using the appropriate configuration sections. |
Mesh Node configuration file example:
mesh.status=enabled mesh.ssid=WILI-Mesh mesh.ssid.is_hex=disabled mesh.uplink.1.status=enabled mesh.uplink.1.devname=ath1 mesh.downlink.1.status=enabled mesh.downlink.1.devname=ath2 mesh.pos_weight=10 mesh.min_rate_weight=1 mesh.max_tx_load_weight=1 mesh.min_hop_threshold=15 # Section: autolock autolock.status=enabled autolock.verbose=enabled autolock.interval=0 autolock.lock.action=down autolock.retry_count=0 autolock.unlock.action=up autolock.control.1.devname=ath0 autolock.control.1.status=enabled autolock.control.2.devname=ath3 autolock.control.2.status=enabled
MESH Gateway configuration file example:
mesh.status=enabled mesh.ssid=WILI-Mesh mesh.ssid.is_hex=disabled mesh.uplink.1.status=disabled mesh.downlink.1.status=enabled mesh.downlink.1.devname=ath2 # Section: autolock autolock.status=enabled autolock.verbose=enabled autolock.interval=0 autolock.lock.action=down autolock.retry_count=0 autolock.unlock.action=up autolock.control.1.devname=ath0 autolock.control.1.status=enabled autolock.control.2.devname=ath3 autolock.control.2.status=enabled
The configuration of the Mesh elements (Mesh Node and Mesh Gateway) should meet following requirements:
- Uplink and Downlink interfaces of the all Mesh elements must have the same SSID in the same network.
- The Uplink should be configured in managed mode (client) and the Downlink should be configured in the master (AP) mode.
- The Uplink and Downlink interfaces on single Mesh Node must be bridged.
- The same wireless security settings must be configured on all Mesh elements.
- Use AutoLock WLAN function to monitor if mesh element is active and can provide wireless service. When network goes down - wireless service will be disabled. When network is up again - wireless service will be re-enabled.
- The additional statistics keys should be specified in the configuration file to send the specific Mesh statistics to the WILI SCOUT.
WILI Scout
WILI Scout is a Java application, integrated into RCMS server or available as stand-alone application. This is a tool for graphical representation for network topology and status of WILI devices including WILI Mesh Nodes. For proper operation WILI Scout needs the statistical information from devices which are operating in network. Since statistical information is gathered using RCMS client, it should be enabled and configured properly for all WILI devices.
| | Without the specified statistics, the WILI Scout will not be able to display WILI MESH network and other WILI devices as it will not receive information from Mesh elements.. |
Use the following samples to setup required WILI MESH elements (gateway and node) statistics for proper WILI Scout functioning. If WILI Scout is used as stand-alone application, change
rcms.heartbeat.url=http://rcms.wilibox.com/heartbeat.php
to:
rcms.heartbeat.url=http://192.168.2.2:8282/heartbeat.php , where address is your local machine IP, where application runs.
Example 1:
##Mesh Gateway Configuration # #Mesh gateway with ath0 dedicated for service set and ath1 - for mesh #downlink rcms.status=enabled # ## Setup RCMS agent rcms.connection.persistent=no rcms.connection.timeout=10 rcms.heartbeat.interval=10 rcms.statistics.interval=10 rcms.heartbeat.url=http://rcms.wilibox.com/heartbeat.php # ## Report statistics for RCMS server rcms.heartbeat.optional.1.status=enabled rcms.heartbeat.optional.1.name=uptime rcms.heartbeat.optional.1.oid=.1.3.6.1.2.1.1.3.0 rcms.heartbeat.optional.2.status=enabled rcms.heartbeat.optional.2.name=cpu_load_5 rcms.heartbeat.optional.2.oid=.1.3.6.1.4.1.2021.10.1.5.2 rcms.heartbeat.optional.3.status=enabled rcms.heartbeat.optional.3.name=mem_free rcms.heartbeat.optional.3.oid=.1.3.6.1.4.1.2021.4.11.0 # ## MESH statistics for RCMS server and WILI Scout rcms.heartbeat.mesh_statistics=enabled
Example 2:
##Mesh Node Configuration # #The configuration for a regular mesh node, with ath0 for service set, ath1 - mesh uplink, and ath2 - mesh downlink #rcms.status=enabled # ## Setup RCMS agent rcms.connection.persistent=no rcms.connection.timeout=10 rcms.heartbeat.interval=10 rcms.statistics.interval=10 rcms.heartbeat.url=http://rcms.wilibox.com/heartbeat.php # ## Report statistics for RCMS server rcms.heartbeat.optional.1.status=enabled rcms.heartbeat.optional.1.name=uptime rcms.heartbeat.optional.1.oid=.1.3.6.1.2.1.1.3.0 rcms.heartbeat.optional.2.status=enabled rcms.heartbeat.optional.2.name=cpu_load_5 rcms.heartbeat.optional.2.oid=.1.3.6.1.4.1.2021.10.1.5.2 rcms.heartbeat.optional.3.status=enabled rcms.heartbeat.optional.3.name=mem_free rcms.heartbeat.optional.3.oid=.1.3.6.1.4.1.2021.4.11.0 # ## MESH statistics for RCMS server and WILI Scout rcms.heartbeat.mesh_statistics=enabled
.
