First off all: this guide is no replacement for the great OpenWrt documentation. Rather this guide show what software I use and how I configure the system. Sure, some software components smells fishy, the hardware could be better and so on. But this setup is great and fullfills my requirements and at least do not use any proprietary components like FritzBox (who want’s closed source in the private network? Do they backport all kernel bugfixes? … to many questions - not an option for me).
For critics, comments, tips you can contact me via twitter: hgnize or write an email: email@example.com (GnuPG ID: 98350C22, Fingerprint: 490F 557B 6C48 6D7E 5706 2EA2 4A22 8D45 9835 0C22)
This howto is gradually extended, from time to time I will uncover new sections - stay tuned. Last but not least: I use Linksys WRT 1900 AC router here. So all WiFi specific configrations are a little bit aligned on this devices and may not work on other hardware. But the difference should marginal and should be limited to some wireless performance tweaks.
Table of Content
- Hardware and Network Topology
- General OpenWRT Setup
- WiFi Performance Optimizations
- IPv4, IPv6 and Tunneling
- DNS and Dynamic DNS
- Virtual Local Area Network, Virtual LAN or VLANs
- Zero Configuration Networking (ZeroConf) with Avahi
- Link Layer Discovery Protocol - LLDP
- Bufferbloat and Traffic Shapping
- Statistics scripts
- Performance Monitoring
- Missing Parts
First thing to do is to flash the original firmware with OpenWRT. I don’t want to go into the details because they differ from router to router. At the end you should have an installed and working OpenWRT. I do not install LuCI to manage the router via web interface. Just ssh’ing into the box is fine.
After installing is done you login via Telnet:
set a new root password relogin via ssh:
Telnet should now automatically be disabled if the password is set. Try it and
Then you should change hostname and timezone in
/etc/config/system. Because I
name all devices like galaxies, cluster and superclusters this system is named
laniakea. The LEDs on
the front can be changed as well. For example the WPS LED is unused, why should
the LED not blink and serve as a heartbeat? Install kmod-ledtrig-heartbeat and
at three additional lines to the config. The most useful™ module is probably
the netfilter module: you can define netfilter rules and when triggered the LED
will blink. So for example you can match for incoming SSH traffic, when IPv6
traffic is seen and so on. We do not edit anything else in
yet, NTP configuration do we edit separately.
Before we go on we just check what the hardware provides, starting with the filesystem:
Now we look at the major configuration files for an OpenWrt router, starting with the network configuration, followed by the wireless configuration. You see that for the WAN side DHCP is already activated. We do not edit anything here - just for now.
Now we take a look at a (slightly modified) wireless configuration. Per default the WiFi interfaces are disabled and must be enabled explicitly.
After a correct cabling, e.g. WLAN toward cable modem, LAN toward host and probably a network restart or reboot IPv4 and IPv6 addresses will be assigned.
We do not see any wlan interfaces because they are disabled per default. Lets see what the Wifi chipset provides:
If we also obtain the output for phy1 the data is nearly identical, the only
difference are DFS states (a truncated
Dynamic Frequency Selection (DFS) is mandatory in US, EU, and Japan to detect interferences with radar systems. Especially weather radar systems. If a collision is detected the WiFi (AP) is enforced to instantly change the frequency band. Not sure what the values actually mean, probably wait every ~21h and then listen for 1 minute and search for radar pulses.
Common Router Software
No matter on what Linux device I work, some software is mandatory
Edit passwd and point root’s sheel to /bin/zsh
In subsequent sections we will install additional software. We don’t do it now because they are optional and every reader should decide for himself which software is required and why. If you want you can already capture traffic on all interfaces, including the wireless link.
Tuning the Default WiFi Configuration
The default WLAN configuration provides a stable starting point, not a tuned one. If something goes wrong it is always possible to go back to this one.
Before starting with modifications it is necessary to measure the current performance. To get this right some things should be considered.
Both end host, source and sink should be able to transmit and receive at a given rate. For example Google Nexus 7 Tablet is limited to 60MBit/s (PHY rate, including PHY “overhead”) as it support only a single spatial stream. The antennas of cell phones, tablets and laptop partly differes enormously. So make sure the server and client hardware is generally in the ability to make such measurements.
Then source and sink can be software limited. If using TCP the kernel parameter may not adequate to get maximum performance although the WIFi hardware limit is not reached. Downloading files direcly can be artificially limited by low performance NAND (eMMC), thus performance measurement tools should be used - not a wget.
To test the surrounding components it is a good idea to install the measurement software and plug source and sink directly to the gigabit ports of the router and do the test via wire first.
The best network measurement tool for Linux is netperf. It has more expert features than iperf. Netperf is extensively used by the kernel network stack guys and the author Rick “Netperf” Jones is an active member of netdev. If a new feature makes sense it is added by Rick. Though netperf a expert tool the drawback is that the distribution of the tool is not that high compared to iperf (where Windows ports and nice GUIs frontends are available). Iperf is available as an Android app and as a OpenWRT package. To keep things simple and because the only goal it to get vanilla down- and upload values we will use iperf now.
Thirst we start with a simple test: two hosts connected via a HP Gigabit switch - no router hardware in between. With this test we make sure both computer are able to communicate with each other at a requested rate (you can call it the Linux Kernel Configuration and CPU check if you want).
This is near the practical maximum throughput of 802.3. The theoretical maximum of 802.3 is 100MBit/s. The difference between theoretical and practical maximum throughput is not large for 802.3 because of protocl efficiency and other factors. For 802.11 the difference is partly enormous.
So the logical next step is to transmit data directly over Wifi. We start with the 2.4 band:
Not too bad, now adjust/tune the wireless device config a little bit:
So we see a performance increase of ~50% for 802.11n. Last but not least you can try the following options to increase the throughtput even more. But be aware that it is possible that some configuration knobs lead to malfunctions, so be carefully.
For the 5.0 Ghz band and with vanilla wireless configuration (without modification) I get the following throughput results:
If I run the iperf application at Googles’s Nexus 9 I get in average 310 MBits/sec. Seems the WiFi chipset and/or antennas (2x2 MIMO antenna) are better than in Dell’s XPS 13. On Nexus 5 I get on average 210 MBit/sec. Sufficient for me - no further optimization required.
A Crowded Frequency Spectrum
As you see in the configuration the configured channel is 4 in 2.4 mode (2427 MHz). This is the frequency band where the fewest devices operates in my direct neighborhood.
Router Placement and Positioning
A not too underrated topic is the placement of the router. A well positioned router may perform magnitudes better than placed somewhere where shielding & reflection is common. Sure, everyone has limitations in the form of power supply, Internet upstream connectivity or wife’s visions how the accommodation should look like. At the end the possibilities are limited, nonetheless some flexibility is usually available and should be used.
But how to know what is the superior router position? Measurements must be done. Place your router, take a WiFi device, start iperf and walk around your flat. If you encounter areas with low coverage try to re-positioning the router. One last words: do the measurements at times where you plan to use the router. Working hours, non-working hours, … Because channels saturation change over the day.
Kabel Deutschland (a larger ISP in Germany) provides Internet connectivity through cable modems on standard cable television infrastructure. Thus a cable modem is provided by the provider. Without configuration change the DOCSIS-3 modem use DHCPv4 to provide IPv4 addresses (RFC 1918 addresses, NATed) and IPv6 SLAAC to hand out a /64 prefix. The later is the minimum which is required to fulfills the requirements. It do no allow me to group the network into routing areas (subnetting) - which is bad.
Kabel Deutschland provides a mode to switch the modem - and the infrastructure behind - into a so called bridge mode. The result is that a public IPv4 is replied for an DHCPv4 request but if you try DHCPv6 prefix delegation (DHCP-PD) I get an error that no IPv6 addresses are available. Reading forums I realized quickly that Kabel Deutschland do not provide any IPv6 connectivity if the router is switched in bridge mode. To sum up KDs default modem setup:
- NATed RFC1918 IPv4 address via DHCP
- IPv6 address via SLAAC
This is not ideal because you will do NAT at least two time: in the OpenWrt box and in the cable modem. Because KD do DS-Lite with Carrier-Grade-NAT we increase the NAT madness from two to three times - yes. And because they do Carrier Grade NAT: port forwarding is not dead simple. The other solution is to use the bridge mode and use the provided (public) IPv4 address and setup a IPv6 tunnel. Sixxs provides by the way /48 prefixes if you collect enough points, called IP SixXS Kredit (ISK). The biggest advantage of this solution is probably a working port forwarding without headache and IPv6 addresses and IPv6 subnetting. So the following setup using KD bridge mode.
IPv6 Tunnel Setup with Sixxs
Install aiccu and the required dependencies:
In the wan6 section of /etc/config/network you should enter your Sixxs data: username, password, tunnelid and the prefix.
/etc/init.d/network reload or reboot - sometimes the modifications are not
detected or the scripts have some problems - I don’t know. So the reboot is
probably what you should do from time to time if you change several files. Just
to make sure that a configuration bug is not hidden. Now check the connection
after reconfiguration, ping a IPv6 host:
Sometimes I stumbled over some misbehavior causing that the tunnel come not up
properly. Adding the following line to
/etc/rc.local helped me:
If things work you can enable SLAAC to anounce the prefix in your network. Note that radvd is not used since Barrier Breaker, For more IPv6 related configuration you should check the wiki. To enable SLAAC just make sure the following configuration lines are added
Remeber that some lines above in
/etc/config/network the default configuration
additionally defines a ULA - this will also be advertised via SLAAC.
Maybe it is time to reboot now. To get a fresh network configuration on your client system you can remove all IP addresses via sudo ip a flush dev DEV. Now wait until the router rebooted and all IP addresses are assigned. Lets check the IP addresses on the client system:
Fine! We get the IPv4 address via DHCP, the Sixxs tunnel address and the ULA via SLAAC. To make sure every works you can now ping from any computer in the network a IPv6 host somewhere in the world:
One concern about IPv6 tunnel are increased delay and reduced throughput. I measured the delay for a while and only see a slight increase of round trip time compared to “native” bandwidth. The following image illustrates the measured ping RTT from a client in my network to heise.de. If you want you test your IPv4/IPv6 RTT performance you can use my ready to use ping gnuplot inkscape script to visualize your RTT:
As a requirement for IPSec, VPN or other home network related operations like file hosting at home you need to know the actual IP address of your router.
My network addressing for IPv4 is dynamic: my provider will renew the public IPv4 address from time to time, at least if I reboot the router. Because I use Sixxs for IPv6 connectivity the IPv6 addresses will not change - static if you like. Thus I can directly communicate via IPv6 with my router if required. To communicate via IPv6 to any host in my home network I am forced to assigned a static IPv6 address to the host(s). This contradicts efforts to use privacy generated (pseudo random)IPv6 addresses. I will show how you can configure a hybrid IPv6 addressing scheme: permanent addressing for internet → intranet communication and privacy addresses for everything else.
But an addressing mechanism limited to IPv6 has some problems. The two relevant problems are:
- Often you don’t have IPv6 connectivity, especially abroad or on vacations. Resulting in times where you just cannot connect to your home network.
- Secondly, IPv6 addresses are hard to remeber and typing 2001:DB8:daed:affe::1 every time is annoying.
To bypass this situation we will use a Dynamic DNS service to get a comfortable pronounceable names for both: IPv6 and IPv4.
Dynamic Updates in the Domain Name System - DNS Update
Though, Dynamic DNS as specified in RFC 2136 (https://tools.ietf.org/html/rfc2136) is not directly what is used by the broad providers of custom DNS updates. Today they often provide a HTTP REST like interface to push credentials, updated domain name and IP addresses. The provider then update the corresponding DNS entries. The "real" Dynamic DNS update mechanism works by providing an inband mechanism to update the DNS database by using a special DNS record. The mechanism is more complex, required DNS tooling and most important a cryptographic secured infrastructure. It”s somehow understandable that DynDNS providers bypass this and use some lighter mechanism to update the database.
There are many providers in the market offers DynDNS services. Probably you already have one. I use Hurricane Electric since several years (not only as DNS Update service) and feeling quite fine. The guys from Hurricane Electric (HE) are professional, know what the crowd wants and do a perfect job! The next paragraphs describes the setup procedure for HE and assumes you already have a domain name and want to use them by simple delegating a sub domain to HE.
named FooBar and you already registered example.com there. Example domain is
you primary and only domain: you operate HTTP, SMTP, IMAP and other servers by
this host. But you want to use this domain also to access your home network.
The way to go is to add another subdomain and change the DNS responsibilities
for this subdomain. Let’s name the subdomain ‘home’, resulting in a FQDN
home.example.com. Next, transfer the nameserver authority for this domain to
HE. In DNS speech: add a NS record for
home.example.com and point it to HE.
This is normally done in a web based administration panel from your registrar
(FooBar). After the change you should see the modifications in the DNS
Next step is to let HE know that the sub-domain is now managed by HE. The HE
DNS administration desk provides all knobs to do that. I don’t want to go into
the details because the configuration is quite simple. You can add new
subdomains like router (FQDM:
router.home.example.com) and choose between a
static mapping or a dynamic one for IPv4 (A record) and IPv6 (AAAA record).
Because I have a permanent IPv6 address I add the IPv6 address directly here.
No need to change this dynamically via DNS update. For IPv4 you need to
generate a dynamic DNS key. This key is later used to change the IPv4 address
and prevent other bad guys to change the address and point to some other hosts.
For now, just remember your username and the newly created password.
Now install the required OpenWrt software:
Now we overwrite the default configuration in
/etc/config/ddns with your new
Simple start the local DDNS service, enable the service permanently and to make sure everything is working you should trigger a interface up signal with the reason that the DDNS service detects the current IP address. Alternatively, Windows style: you can reboot your router.
Now check that everything is working. Query the AAAA and A record for your domain. For IPv6 you should see the static address and for IPv4 you should see the ISP provided IPv4 address. Afterwards you can use a online ping service to verify connectivity. OpenWrt’s default firewall rules let ICMPv4 and ICMPv6 in (with some rate limiting restrictions).
Guest WiFi and Freifunk
Many OpenWrt configurations show how to setup a Guest WiFi. Normally a reduced feature set WiFi, e.g. firewalled with exception of HTTP and HTTPS. The guest WiFi is often VLAN tagged to make sure that unsecure and secure data do not use the same network.
I don”t provide an guest network and I do not restrict guest. Rather I host a Freifunk node for the neighborhood which can be used by guests too. The additional Freifunk router (costs 20 euro) use his own firmware (right, a own modified Openwrt version with BATMAN routing, Fastd, etc. pp). All traffic from this router is tunneled via VPN to a another router in Munich. So I can’t even see what the guests do! The only limition for guests is a slight up- and downlink shapping. Just to make sure that guests do not saturate my ISP link - thats all.
If you want to participate you can join the monthly Freifunk meeting here in Munich or in your town. Meet great people, talk about OpenWrt and allow people to download their favorite cat images.