Ubiquity with OpenWRT and CoovaChilli

In this document we will flash the latest OpenWRT (Attitude Adjustment 12.09) onto a Ubiquity PicoStation2.
We will then install CoovaChilli onto the device and point it to our RADIUSdesk server.
Finally we will implement the heartbeat system in order to communicate through a NAT Firewall

In the past people had a bad experience with the PicoStation2 hardware. I do however suspect that it was actually a bad batch of hardware since the complaints on the forum ceased after a while.

For completeness I do however want to give you a head's up since people may still own or try to sell potentially troublesome devices.
http://www.ubnt.com/forum/showthread.php?t=10522

This can initially be done two ways. Once the device runs OpenWrt, you can only use the tftp method.

• OpenWrt is a totally free Open Source firmware which runs on many different hardware.
• The folks at OpenWrt saved us the hassle of compiling firmware for the PicoStation2 by supplying a ready to flash firmware which we can download.
• Download openwrt-atheros-ubnt2-pico2-squashfs.bin from the OpenWRT download site. (http://downloads.openwrt.org/attitude_adjustment/12.09/atheros/generic/)

• The PicoStation2 comes installed with Ubiquity firmware called AirOS.
• Connect the PicoStation2 through the supplied POE injector to an existing network. (Ensure that this network does not have a host on the IP 192.168.1.20.)
• Ensure the PicoStation2 is cleared to factory defaults. A reset micro switch is next to the RJ45 Socket on the PicoStation2 unit.
• Change the IP address of the workstation to which you downloaded the OpenWrt firmware to be on the same subnet as the PicoStation2 (EG 192.168.1.100)
• See if you can connect to the PicoStation2 by pointing your browser to: http://192.168.1.20
• Flash the OpenWrt firmware onto the PicoStation2. When you select the firmware file, the web interface will warn you that you are about to install non-standard firmware and will give more detail on the build of the OpenWrt firmware. Click OK to continue.
• The flash process will take approximately 4 minutes. During that time the LEDs on the PicoStation2 will flash different colors and also different levels as it completes the flashing process.
• When it is complete only the bottom LED (Power) will be lit, with the one just above it (Network traffic) flickering indication network activity.
• Power cycle the PicoStation2 by removing the LAN cable and plugging it back again.
• Wait for about a minute and try and ping the Picostation2 on the IP 192.168.1.1. Please note that this IP is different from the default PicoStation2 firmware's IP which is 192.168.1.20.
• Create a root password on the device.
• Telnet the device IP.
• Set the root password.
• Reboot the device, this will start a sshd server. You can log in via ssh with the password supplied in the previous step.

Ubiquity makes use of the RedBoot bootloader. This is a proper boot loader and very powerful.
It was initially developed by RedHat.
Using RedBoot makes it virtually impossible to brick your router.
It can be initialized in a way which will start a tftp server on a specified IP address.
This allows us then to dump firmware on the device using a tftp client.
You can do the initial flash or upgrades and reverting back with this method.

• Power cycle the unit and immediately hold the reset button for ~10 seconds until the LEDs glow alternately.
• TFTP openwrt-atheros-ubnt2-pico2-squashfs.bin to 192.168.1.20 (default IP of the Ubiquity device)

tftp 192.168.1.20
tftp> binary
tftp> rexmt 1
tftp> trace
tftp> put openwrt-atheros-ubnt2-pico2-squashfs.bin

• Wait for the image to load on the device.
• This will usually take at least 5 to 10 minutes.
• Once finished, the LEDs should stop glowing alternatively red and orange.
• Once finished, you should be able to get a ping response from 192.168.1.1.
• Create a root password on the device.
• Telnet the device IP.
• Set the root password.
• Reboot the device, this will start a sshd server. You can log in via ssh with the password supplied in the previous step.

The default OpenWRT firmware has the following configurations which we have to change:

• The LAN and WLAN is bridged
• There is a DHCP server running on the LAN.

• Ethernet and Wireless are bridged
• Start-up scripts creates a bridge called br-lan.
• The IP address of the device gets assigned to the br-lan interface.
• Members of br-lan are eth0 and wlan0.

• Remove bridge between eth0 and wlan0 interfaces.
• Assign the device's IP address to eth0.
• Assign wlan0 to CoovaChilli.
• This will create a tunnel interface on wlan0.
• This tunnel will do NAT on the traffic between 'eth0' and 'wlan0'.
• The Chilli program will be the gatekeeper, deciding which traffic will flow between eth0 and wlan0.

• Comment out the bridge option in /etc/config/network.

config interface lan
        option ifname   eth0
#       option type     bridge
        option proto    static
        option ipaddr   192.168.1.1
        option netmask  255.255.255.0
        option gateway  192.168.1.200
        option dns      192.168.1.200

• Activate the wireless in /etc/config/wireless.

      # REMOVE THIS LINE TO ENABLE WIFI:
      #option disabled 1

• Comment out the line which causes the wireless interface to be added to br-lan in /etc/config/wireless

  # option network lan

• Reboot the unit.
• Ssh into the unit and ensure the IP address of 192.168.1.1 is now assigned to eth0.

• OpenWrt feature a package management system much like the apt package management in Debian based GNU/Linux systems.
• OpenWrt's package manager is called opkg and configured through the /etc/opkg.conf file.
• If you go through a proxy server to get to the packages you will have to specify the proxy before opkg will be able to install or list available packages.
• Add the following line to opkg.conf:

option http_proxy http://proxy.co.za:3128/

• Run the following command to pull a list of the latest packages

opkg update

• Install the following packages, using opkg install. The dependencies should install automatically.

opkg install coova-chilli

We need to configure CoovaChilli to work with RADIUSdesk.
In this section we will assume RADIUSdesk has an IP of 192.168.1.11.

• Start out by copying /etc/chilli/defaults to /etc/chilli/config

cp /etc/chilli/defaults /etc/chilli/config

• Edit the config file and take care to specify the following important variables:

• The CoovaChilli package that is installed miss a start-up script.
• You can use the following as a sample.

#!/bin/sh /etc/rc.common
# ============================================
# == Coova Chilli Startup Script =============
# == Hardware: Ubiquity PicoStation2 =========
# == OpenWRT version 12.09 ===================
# == Date 2013-07-03 =========================
# ============================================
 
START=80
STOP=85
 
. /etc/chilli/functions
 
start() {
    echo start
    # commands to launch application
    /sbin/modprobe tun > /dev/null 2>&1
    echo 1 > /proc/sys/net/ipv4/ip_forward
    writeconfig
    radiusconfig
    iptables -F POSTROUTING -t nat
    iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE
    ifconfig $HS_LANIF 0.0.0.0
    checkrunning
}
 
stop() {
    echo stop
    killall chilli
}
 
checkrunning(){
    check=`/bin/pidof chilli`
    if [ -z $check ]
    then
        echo "Chilli not running"
        chilli
    else
        echo "Chilli runnig PID: "$check
    fi
}
 

• Create a file called /etc/init.d/coova with the above contents.
• Change it so it can start up upon reboot.

chmod 755 /etc/init.d/coova
/etc/init.d/coova enable

• Disable the dnsmasq service

/etc/init.d/dnsmasq disable

• Reboot the unit and see if the Access Point interface hands you a 10.1.0.x IP address.
• Try to connect to the Internet ( Using your browser without a proxy open any www (port 80) web page.
• You should be redirected to the dynamic log-in page served by RADIUSdesk.