Table of Contents
Ubiquity with OpenWRT and CoovaChilli
Introduction
In this document we will flash the latest OpenWRT (Attitude Adjustment 12.09) onto a Ubiquity PicoStation2.
We will then install CoovaChilli onto the device and point it to our RADIUSdesk server.
Finally we will implement the heartbeat system in order to communicate through a NAT Firewall
In the past
In the past people had a bad experience with the PicoStation2 hardware. I do however suspect that it was actually a bad batch of hardware since the complaints on the forum ceased after a while.
For completeness I do however want to give you a head's up since people may still own or try to sell potentially troublesome devices.
http://www.ubnt.com/forum/showthread.php?t=10522
Flashing OpenWRT onto the PicoStation2
This can initially be done two ways. Once the device runs OpenWrt, you can only use the tftp method.
Obtain the firmware
- OpenWrt is a totally free Open Source firmware which runs on many different hardware.
- The folks at OpenWrt saved us the hassle of compiling firmware for the PicoStation2 by supplying a ready to flash firmware which we can download.
- Download openwrt-atheros-ubnt2-pico2-squashfs.bin from the OpenWRT download site. (http://downloads.openwrt.org/attitude_adjustment/12.09/atheros/generic/)
- This procedure involves flashing Third Party Software (OpenWrt) into the PicoStation2.
- This may damage the device and void the warranty.
Flash using AirOS
- The PicoStation2 comes installed with Ubiquity firmware called AirOS.
- Connect the PicoStation2 through the supplied POE injector to an existing network. (Ensure that this network does not have a host on the IP 192.168.1.20.)
- Ensure the PicoStation2 is cleared to factory defaults. A reset micro switch is next to the RJ45 Socket on the PicoStation2 unit.
- Change the IP address of the workstation to which you downloaded the OpenWrt firmware to be on the same subnet as the PicoStation2 (EG 192.168.1.100)
- See if you can connect to the PicoStation2 by pointing your browser to: http://192.168.1.20
- Flash the OpenWrt firmware onto the PicoStation2. When you select the firmware file, the web interface will warn you that you are about to install non-standard firmware and will give more detail on the build of the OpenWrt firmware. Click OK to continue.
- The flash process will take approximately 4 minutes. During that time the LEDs on the PicoStation2 will flash different colors and also different levels as it completes the flashing process.
- When it is complete only the bottom LED (Power) will be lit, with the one just above it (Network traffic) flickering indication network activity.
- Power cycle the PicoStation2 by removing the LAN cable and plugging it back again.
- Wait for about a minute and try and ping the Picostation2 on the IP 192.168.1.1. Please note that this IP is different from the default PicoStation2 firmware's IP which is 192.168.1.20.
- Create a root password on the device.
- Telnet the device IP.
- Set the root password.
- Reboot the device, this will start a sshd server. You can log in via ssh with the password supplied in the previous step.
Flash using TFTP
Background
Ubiquity makes use of the RedBoot bootloader. This is a proper boot loader and very powerful.
It was initially developed by RedHat.
Using RedBoot makes it virtually impossible to brick your router.
It can be initialized in a way which will start a tftp server on a specified IP address.
This allows us then to dump firmware on the device using a tftp client.
You can do the initial flash or upgrades and reverting back with this method.
Procedure
- Power cycle the unit and immediately hold the reset button for ~10 seconds until the LEDs glow alternately.
- TFTP openwrt-atheros-ubnt2-pico2-squashfs.bin to 192.168.1.20 (default IP of the Ubiquity device)
tftp 192.168.1.20 tftp> binary tftp> rexmt 1 tftp> trace tftp> put openwrt-atheros-ubnt2-pico2-squashfs.bin
- Wait for the image to load on the device.
- This will usually take at least 5 to 10 minutes.
- Once finished, the LEDs should stop glowing alternatively red and orange.
- Once finished, you should be able to get a ping response from 192.168.1.1.
- Create a root password on the device.
- Telnet the device IP.
- Set the root password.
- Reboot the device, this will start a sshd server. You can log in via ssh with the password supplied in the previous step.
Reconfigure the Access Point
The default OpenWRT firmware has the following configurations which we have to change:
- The LAN and WLAN is bridged
- There is a DHCP server running on the LAN.
The DHCP server running on the LAN can potentially wreak havoc
Default Configuration
- Ethernet and Wireless are bridged
- Start-up scripts creates a bridge called br-lan.
- The IP address of the device gets assigned to the br-lan interface.
- Members of br-lan are eth0 and wlan0.
CoovaChilli Configuration
- Remove bridge between eth0 and wlan0 interfaces.
- Assign the device's IP address to eth0.
- Assign wlan0 to CoovaChilli.
- This will create a tunnel interface on wlan0.
- This tunnel will do NAT on the traffic between
'eth0
' and'wlan0
'. - The Chilli program will be the gatekeeper, deciding which traffic will flow between eth0 and wlan0.
Procedure
- Comment out the bridge option in /etc/config/network.
config interface lan
option ifname eth0
# option type bridge
option proto static
option ipaddr 192.168.1.1
option netmask 255.255.255.0
option gateway 192.168.1.200
option dns 192.168.1.200
- Activate the wireless in /etc/config/wireless.
# REMOVE THIS LINE TO ENABLE WIFI: #option disabled 1
- Comment out the line which causes the wireless interface to be added to br-lan in /etc/config/wireless
# option network lan
- Reboot the unit.
- Ssh into the unit and ensure the IP address of 192.168.1.1 is now assigned to eth0.
Install CoovaChilli
Remember that this section requires the PicoStation to be able to go out on the Internet
- OpenWrt feature a package management system much like the apt package management in Debian based GNU/Linux systems.
- OpenWrt's package manager is called opkg and configured through the /etc/opkg.conf file.
- If you go through a proxy server to get to the packages you will have to specify the proxy before opkg will be able to install or list available packages.
- Add the following line to opkg.conf:
option http_proxy http://proxy.co.za:3128/
- Run the following command to pull a list of the latest packages
opkg update
- Install the following packages, using opkg install. The dependencies should install automatically.
opkg install coova-chilli
Configure CoovaChilli
We need to configure CoovaChilli to work with RADIUSdesk.
In this section we will assume RADIUSdesk has an IP of 192.168.1.11.
- Start out by copying /etc/chilli/defaults to /etc/chilli/config
cp /etc/chilli/defaults /etc/chilli/config
- Edit the config file and take care to specify the following important variables:
Variable | Value | Comment |
---|---|---|
HS_LANIF | wlan0 | This is the WiFi Interface |
HS_UAMSECRET | greatsecret | Should be the same as the value specified in rd_login_pages/services/uam.php in the webserver's document root on RADIUSdesk |
HS_RADIUS | 192.168.1.11 | Point to RADIUS server running on RADIUSdesk |
HS_RADIUS2 | 192.168.1.11 | Point to RADIUS server running on RADIUSdesk |
HS_RADSECRET | Secret | Shared secret between device and RADIUS server |
HS_UAMHOMEPAGE | comment (add a # in front) | Remove this definition as well as the one in /etc/chilli/defaults to spead up the loading of the log-in page. This will remove the splash page. |
HS_UAMFORMAT | http://192.168.1.11/cake2/rd_cake/dynamic_details/chilli_browser_detect/ |
Startup Script
- The CoovaChilli package that is installed miss a start-up script.
- You can use the following as a sample.
#!/bin/sh /etc/rc.common # ============================================ # == Coova Chilli Startup Script ============= # == Hardware: Ubiquity PicoStation2 ========= # == OpenWRT version 12.09 =================== # == Date 2013-07-03 ========================= # ============================================ START=80 STOP=85 . /etc/chilli/functions start() { echo start # commands to launch application /sbin/modprobe tun > /dev/null 2>&1 echo 1 > /proc/sys/net/ipv4/ip_forward writeconfig radiusconfig iptables -F POSTROUTING -t nat iptables -I POSTROUTING -t nat -o $HS_WANIF -j MASQUERADE ifconfig $HS_LANIF 0.0.0.0 checkrunning } stop() { echo stop killall chilli } checkrunning(){ check=`/bin/pidof chilli` if [ -z $check ] then echo "Chilli not running" chilli else echo "Chilli runnig PID: "$check fi }
- Create a file called /etc/init.d/coova with the above contents.
- Change it so it can start up upon reboot.
chmod 755 /etc/init.d/coova /etc/init.d/coova enable
- Disable the dnsmasq service
/etc/init.d/dnsmasq disable
Enjoy the fruits of our labor
- Reboot the unit and see if the Access Point interface hands you a 10.1.0.x IP address.
- Try to connect to the Internet ( Using your browser without a proxy open any www (port 80) web page.
- You should be redirected to the dynamic log-in page served by RADIUSdesk.