Dark arts mastery: Created a Linux x86 VM on my M1 Pro MacBook Pro
Within that Linux VM, created a docker container of Ubuntu with some personalised stuff.
On that container, built another one with the OpenWRT builder for RPi 4
Used that docker container to build a new OpenWRT image
Booted it on a spare RPi 4 and restored the backup of my OpenWRT config to it.
Took my actual OpenWRT router down, inserted the flash card I'd just created, and powered it back up.
Everything. Worked.
If you roll your own router, it's useful to know that you can recreate it were it to go tits-up, and I can!
like this
Sarah Brown
Unknown parent • •Andy Buckley
in reply to Sarah Brown • • •Sarah Brown
in reply to Andy Buckley • •@Andy Buckley Well the OpenWRT builder doesn't run on ARM, and the only x86 box I own is a knackered old MacBook Pro, 2015, that I once poured beer through by accident and currently has some ancient crusty barely functioning Ubuntu on it.
I should probably chuck it out.
Sarah Brown
Unknown parent • •FeralRobots
in reply to Sarah Brown • • •Sarah Brown likes this.
Sarah Brown
in reply to FeralRobots • •Sarah Brown
in reply to Sarah Brown • •Also, TIL: The OpenWRT web interface, Luci, by default listens on 0.0.0.0:80, (via uhttpd) which one may think is madness, because you don't want the WAN or non admin VLANs accessing it.
So I changed it to 192.168.1.1:80, but it turns out that this is pointless. It was always firewalled from the WAN anyway (and indeed, port 80 and 443 incoming are forwarded to my Friendica server), and it turns out that it still accepts connections from other VLAN subnets because of funky loopback shit.
So you need to firewall the router from potentially hostile VLAN subnets and just allow DNS and DHCP via port forwarding (if that's how you roll) through anyway.
(Aside, I wondered what the fuck the "input" zone forwarding was on the OpenWRT firewall. Turns out it means traffic aimed at the router, and only the router. Live and learn.)
And also, if you try and bind it to the main LAN, it comes up before that interface does, notices the interface doesn't exist, and promptly quits.
And then you have to go in via ssh and start it manually.
So don't do that. It's set
... show moreAlso, TIL: The OpenWRT web interface, Luci, by default listens on 0.0.0.0:80, (via uhttpd) which one may think is madness, because you don't want the WAN or non admin VLANs accessing it.
So I changed it to 192.168.1.1:80, but it turns out that this is pointless. It was always firewalled from the WAN anyway (and indeed, port 80 and 443 incoming are forwarded to my Friendica server), and it turns out that it still accepts connections from other VLAN subnets because of funky loopback shit.
So you need to firewall the router from potentially hostile VLAN subnets and just allow DNS and DHCP via port forwarding (if that's how you roll) through anyway.
(Aside, I wondered what the fuck the "input" zone forwarding was on the OpenWRT firewall. Turns out it means traffic aimed at the router, and only the router. Live and learn.)
And also, if you try and bind it to the main LAN, it comes up before that interface does, notices the interface doesn't exist, and promptly quits.
And then you have to go in via ssh and start it manually.
So don't do that. It's set to 0.0.0.0:80 in /etc/config/uhttpd for a reason, and we shouldn't fuck about with it.
Rolling your own Internet router is fun, but there are all sorts of fun ways to screw yourself.
Gen X-Wing
in reply to Sarah Brown • • •OpenWRT is useful (using it on two APs currently), but boy can networking and setting it up be an endless circle of confusion:(
Good luck!
Sarah Brown
in reply to Gen X-Wing • •Gen X-Wing
in reply to Sarah Brown • • •Got a box for a router now, so it’s going to be pfSense or OpnSense for now. Hoping they will give me lots of good features.
But swapping over will be a bit of a nervous thing. But also why I need APs 😀
Also running on open software, because I don’t trust networking stuff anymore. Especially not the terrible ISPs:(
Sarah Brown
Unknown parent • •@Becky I'll also note that you can't bridge VMs on 2 different VLANs to the same physical ethernet port on UTM and if you try, neither will work.
I discovered this in the traditional manner.
(UTM on a different VLAN to the one the Mac is using natively is fine, this only applies to VMs)
Which is why my Mac Mini has TWO ethernet ports both connected now.