Quick Blog Links

Projects
  SSH+RADIUS OTP-Auth   [Python / C]
  SSH-Pass Automation Program   [Python]
  VPN-Like Tunneled Interface+Traffic   [Python / Networking]
  DHCP/ARP Relay-Bridge for OpenWRT   [C / Networking]
Configs
  SSH-Tunnel Config | Commands   FreeRADIUS Setup
  WiFi Bridge Network Diagram   Firewall ~ (eb|ip)tables
  Cisco+OpenWRT Setup   Ubiquiti+OpenWRT Setup
Written
  Seneca College – Secure LAN Communication   [Thesis]
  Seneca College – Teaching Hacking   [Paper]
  ARM Assembly – Basic Introduction   [Post]
About
  Career ~ Resume   /   Seneca Project Links   /   What Motivates Us   /   Office Space
# Note: github.com/fossjon <- I lost access due to missing 2fa, so now I'm using -> github.com/stoops
for p in `seq 1 3` ; do
  curl -sL "https://fossjon.wordpress.com/feed/?paged=$p" | grep -Ei '<(title|link)>' \
    | sed -e 's@<title@~<title@g' | tr ' \t\r\n' ' ' | tr -s ' ' | tr '~' '\n' \
    | sed -e 's@^.*<title>\(.*\)</title>.*<link>\(.*\)</link>.*$@<a href="\2" style="text-decoration:none;font-family:monospace;">\1</a><br/>@' \
    | grep -i '/fossjon.wordpress.com/'
done > blog.html

Quick Blog Links

Configuring an OpenWRT Switch to work with SSID VLANS on a UAP-AC-PRO

Network setup: https://fossjon.wordpress.com/2021/02/05/home-networking-upgrade-unifi-uap-ac-pro-ufos/

On the OpenWRT Switch page, I have set LAN port 1 (along with a backup LAN port 2 but you can just use a single port) as the VLAN trunk port (tagged) to allow it to carry the traffic through to the VLAN access ports (untagged) [home = VLAN 3 && guest = VLAN 4]. This will create the sub-interfaces eth0.3 and eth0.4 which will contain the separated ethernet Layer 2 traffic from the WiFi clients (ARP, DHCP via dnsmasq, mDNS, etc).

Note: Make sure to tag the CPU along with the LAN ports and ignore the untagged VLAN 5, I’m using it as an isolated management network (firewalled off with iptables at Layer 3).

Linksys WRT32X Switch Setup:

You can then go to the Networks section in the UniFi AP Site configuration and add a VLAN-Only Network (set the ID to 3 or 4) and then on the Wireless page create an SSID which uses that Network Name in the WiFi settings.

Note: To achieve a similar setup on a OpenWRT AP, you can use the WAN port tagged on those same VLAN numbers and then on the Interfaces page create an unmanaged interface type from the related VLAN sub-interface listed – this interface can then be assigned to the SSID network under the Wireless networks page.

Configuring an OpenWRT Switch to work with SSID VLANS on a UAP-AC-PRO

Exploring The Ubiquiti AP Firmware

There is a small issue that I noticed in the UAP-AC-PRO firmware images — I’ve posted this issue on the community forums and also filed a tracker report. It’s a shell script (or incomplete image) type of error depending on how you look at it but if you SSH into the AP you’ll notice this trace file:

home-BZ.v4.3.28# cat /tmp/rc.txt
...
+ [ -e /usr/etc/rc.postconf ]
+ [ -e /etc/ltecfg/lteUpgradeSierraWireless.sh ]
+ init -q
+ bgnd -r garp -- /sbin/garp -s 2
ERROR: bgnd: EXEC FAILED! Executable: /sbin/garp

If you check to see where this binary executable exists on the firmware image itself, it turns out it is indeed missing:

# echo $PATH ; which garp ; ls -l /sbin/garp
/usr/bin:/bin:/usr/sbin:/sbin
ls: /sbin/garp: No such file or directory

And if you look at which shell script is responsible for this error message (it’s an rc startup script):

# grep -in '' /etc/rc.d/rc
...
92:start() {
93:	# assumes a good starting point (module unloaded, processes stopped)
94:
95:	# update running config
...
194:	# done.
195:	bgnd -r garp -- /sbin/garp -s 2 &
196:	# NOTE: we didn't set the LED here. instead, we rely on the management agent (mcad)
197:	# to call syswrapper.sh:set-ready
...
215:	# make new /etc/inittab takes effect
216:	init -q
217:}
...


Either the image needs to include this referenced binary or the shell script needs extra logic to determine when to call the gratuitous ARP command successfully!

Exploring The Ubiquiti AP Firmware

Home Network Upgrade – UniFi UAP-AC-PRO – More UFOs!

So starting 2021 and continuing on the theme of UFO shaped things, I decided to replace our home AP (TP-Link Archer C7 V5 – good Qualcomm Atheros radios, low CPU/RAM/Disk) and the guest AP (Linksys WRT1900ACS – good RAM/CPU/Disk, bad Marvell radio driver support) which were both running OpenWRT. I was able to achieve a fairly stable and fast setup with those routers by keeping the tp-link minimal and the linksys in a basic wireless environment setup.

I wanted to try a new product to replace them both and also help expand my knowledge along the way. I picked up a couple of Ubiquiti APs to run each network type (at 802.11ac-3×3-1300mbps) and they are connected via a CAT6-gigabit-ethernet cable on VLAN-ports to a Linksys WRT32X router. This OpenWRT router is acting as a wireless client bridge to carry all the internal network traffic via a dedicated and separated 802.11ac backchannel to another TP-Link Archer C7 V5 router in the basement which is then connected to a cable modem for internet access.

They were pretty easy and straight forward to setup (just remember to download Java 8 for the UniFi controller software). They have good CPU/RAM and stable wireless radio capabilities. They came with the POE injectors in the box (no cables though) and the OS on them is very powerful allowing for features like 5Ghz band steering in a dual frequency, single SSID WiFi setup.

They do one thing and one thing well which is exactly what I was looking for!

A Long Time Ago
Back To The Future

Edit: There seems to be a DHCP issue going on with the firmware image, make sure to:

# upgrade https://dl.ui.com/unifi/firmware/U7PG2/4.3.20.11298/BZ.qca956x.v4.3.20.11298.200704.1347.bin
Home Network Upgrade – UniFi UAP-AC-PRO – More UFOs!

Nearing the end of 2020 with a UFO toy

Well this year has been a rough one so far and it can be hard to stay sane while being inside all the time! I tried to keep busy as much as possible to help stay active — I was gifted a cool xmas toy to play with and observe in the mean time (I had my money on aliens making an appearance before the end of the year but it looks like this will have to do for now…):

Nearing the end of 2020 with a UFO toy

Edited some squircle icons for Big Sur (VLC, BBEdit, iTerm, Transmission)

I thought I’d post them here in case anyone wants their dock to look a little more uniform with everything else!

Note: The VLC app has a ICNS file that it uses in addition when launched and active so you can also replace it by running:
 
cp vlcr.png ~/Applications/VLC.app/Contents/Resources/VLC.icns
 

     

     

     

     

     

Edited some squircle icons for Big Sur (VLC, BBEdit, iTerm, Transmission)

Trying out a modified version of openwrt for my linksys router

So there is modified version of openwrt (called davidc502) that is meant to include a more updated set of wireless drivers for the radios in the linksys wrt32x router. It’s a pretty cool alternative that I’m glad exists which is trying to make the stability and performance better for these devices that are poorly supported by its creators. For example, I recorded the wifi module versions of openwrt vs davidc502 below:
 

# opkg list-installed | grep -i wifi
kmod-mwlwifi - 4.14.195+2019-03-02-31d93860-1
mwlwifi-firmware-88w8864 - 2019-03-02-31d93860-1

# opkg list-installed | grep -i wifi
kmod-mwlwifi - 5.4.42+2020-02-06-a2fd00bb-1
mwlwifi-firmware-88w8864 - 2020-02-06-a2fd00bb-1
mwlwifi-firmware-88w8897 - 2020-02-06-a2fd00bb-1
mwlwifi-firmware-88w8964 - 2020-02-06-a2fd00bb-1

 
However, one thing to note, when I first ran netstat on it I was surprised to see soo many running services listening on all kinds of ports, I had to go through and turn most of them off in the services tab manually:
 

 

Trying out a modified version of openwrt for my linksys router

Trying to block all possible web connections to facebook (with the Chrome browser)

The first extension I always install in Chrome is “uBlock Origin” of course to try and prevent as many wasteful ads as possible but it doesn’t specifically target entire web properties such as all of facebooks sub domains that exist out there (for example, if someone puts a fb image or like button on their site and your browser loads that content, it’s another signal they can use with your information even though I don’t have a fb account).

I found a cool extension for Chrome called “Domain Blocker” which lets you specify wildcard sub domain names in a simple list to block any web requests at the browser level directly (no messy etc/hosts file setups or maintenance needed). For example, you can grab a master list of facebook domain names and place some basic regex in it to produce a nice short list to block automatically:

$ curl -sL 'https://raw.githubusercontent.com/jmdugan/blocklists/master/corporations/facebook/all' | tr '.' ' ' | awk '{ print $(NF-1)"."$NF }' | sort | uniq | awk '{ print $1 ; print "*."$1 }'

facebook.com
*.facebook.com
facebook.de
*.facebook.de
facebook.fr
*.facebook.fr
facebook.net
*.facebook.net
fb.com
*.fb.com
fb.me
*.fb.me
fbcdn.com
*.fbcdn.com
fbcdn.net
*.fbcdn.net
fbsbx.com
*.fbsbx.com
fburl.com
*.fburl.com
foursquare.com
*.foursquare.com
freebasics.com
*.freebasics.com
hootsuite.com
*.hootsuite.com
instagram.com
*.instagram.com
internet.org
*.internet.org
m.me
*.m.me
messenger.com
*.messenger.com
online-metrix.net
*.online-metrix.net
tfbnw.net
*.tfbnw.net
thefacebook.com
*.thefacebook.com
wechat.com
*.wechat.com
whatsapp.com
*.whatsapp.com
whatsapp.net
*.whatsapp.net

This will now produce a blocked message if your browser tries to load any content from any of those domains (links, imgs, scripts, frames, etc.):

www.facebook.com is blocked
Requests to the server have been blocked by an extension.
Try disabling your extensions.
ERR_BLOCKED_BY_CLIENT

Reminder: Also make sure to block third party cookies in Chrome’s settings as well, it will help a lot to keep things clean along the way!

Trying to block all possible web connections to facebook (with the Chrome browser)

Last piece of relay software needed for my home bridged network

If you are running a bridged/relayd network with macs on it you may need to also forward the multicast broadcasts (mDNS related) that allow the devices to automatically discover each other. On the WRT wifi client side, there is a pkg called avahi-daemon and you can configure to operate in “reflector” mode to forward these broadcasts across the specified interfaces. Running this service along with the dhcprb C program which takes care of layer 2 arp requests & dhcp gateway forwarding has been pretty smooth so far!

74:DA:88:8F:50:00  -47 dBm / -89 dBm (SNR 42)  990 ms ago
	RX: 1300.0 MBit/s, VHT-MCS 9, 80MHz, VHT-NSS 3   6413214 Pkts.
	TX: 1170.0 MBit/s, VHT-MCS 8, 80MHz, VHT-NSS 3   3557598 Pkts.

 2570 root       704 S    ./dhcprb br-wan wlan0
# /etc/avahi/avahi-daemon.conf

[server]
allow-interfaces=br-wan,wlan0
use-ipv4=yes
use-ipv6=no
check-response-ttl=no
use-iff-running=no

[publish]
disable-publishing=yes
publish-addresses=no
publish-hinfo=no
publish-workstation=no
publish-domain=no
publish-resolv-conf-dns-servers=no

[reflector]
enable-reflector=yes
reflect-ipv=no

[rlimits]
#rlimit-as=4194304
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3
Last piece of relay software needed for my home bridged network

Final version of relayd functionality written in C (arp & dhcp bridging)

So it took me a while to update & re-write the dhcp relayd functionality that I made in python previously. This new C file can relay & rebroadcast both arp and dhcp packets via raw sockets. For DHCP relaying, it has to be able to insert the bridges IP address into the request so that the server replies back to us and then we can forward it on (so we can run only 1 dhcp server total on the network). The last interface specified in the list is designated as the dhcp server interface to send the requests coming in.

Also tried to reduce the number of system calls made by reading both the arp table proc file and routing table file instead (only 1 sys call to replace host route entries on the bridge router).

It’s been a while since I used select with multiple sockets but this compile uses less memory while running versus the python version, although the py version is easier to read and maintain (depends on your needs).

https://github.com/stoops/arprb/blob/master/dhcprb.c?ts=4

I’ll run this for a while and see how it performs!

Jon C

Final version of relayd functionality written in C (arp & dhcp bridging)