remplacer la freebox par nanopi r4s

documentation:

• Projet NoBox: Se passer de la Freebox avec un routeur openwrt.

• openwrt.org forum: NanoPi R4S rk3399 4G is a great new OpenWrt device

• openwrt.org forum: IPv6 works only with wan in promiscuous mode

• openwrt.org doc: build openWrt image from git

• La Fibre.info: (mon thread) Dégager la freebox serveur

• compile firmware compatible with openWrt repo

• build system usage

avoid issue with USB3 SSD storage adapter

Well linux supported adapter chipset: JMicron JMS578 (SATA 6Gb/s USB3.0) 152d:0578

doc:

• Connection problem with USB3 external storage on Linux (UAS driver problem)
• stackoverflow definitive solution

for ARMbian, blacklist UAS storage driver for this USB adapter:

• edit /boot/armbianEnv.txt (used indirectly by /boot/boot.cmd)

• append ,174c:55aa:u at the end of usbstoragequirks=... (not __0x0__714c etc...)

• reboot

• check it worked: sudo dmesg | grep "UAS"

  should return: usb 4-1: UAS is ignored for this device, using usb-storage instead

build openWrt from git

---

/!\ don't cross-compile on an encrypted mount point (eg. /home/nouknouk on noukfractal). Otherwise, you'll get cryptic error like "uglic++ compilation failed"

---

install build dependencies

sudo apt update
sudo apt install build-essential ccache ecj fastjar file g++ gawk gettext git java-propose-classpath libelf-dev libncurses5-dev libncursesw5-dev libssl-dev python python2.7-dev python3 unzip wget python3-distutils python3-setuptools rsync subversion swig time xsltproc zlib1g-dev

some custom additions (for wireguard, docker packages ?) sudo apt install libjson-c-dev python3.9

download sources

work in progress nanopi-r4s fork

git clone https://github.com/1715173329/openwrt-official.git
cd openwrt-official
git checkout nanopi-r4s

Specific for free ISP en ZMD:

• you may want to change directly file package/network/ipv6/map/files/map.sh
• you may want to inject package/base-files/files/etc/init.d/promiscuous in image

alternatively, for 'main branch:

git clone https://git.openwrt.org/openwrt/openwrt.git
cd openwrt

get feeds (= download 3rd party software)

./scripts/feeds update -a
./scripts/feeds install -a

configure

save/restore a custom config

• save current config:

  ./scripts/diffconfig.sh > saved.config

• restore config & merge with defaults:

  cp saved.config .config
  make defconfig
  

configure

• make menuconfig and set target.

  • target Rockchip, subtarget RK33XX, profile FriendlyARM NanoPi R4S
  • Use r8168-8.048.03 realtek kernel module(much better than r8169)

• download custom eth1 (LAN) driver r8168 to replace r8169

  git clone https://github.com/BROBIRD/openwrt-r8168.git
  # from openwrt repo folder:
  cp ../openwrt-r8168 ./package/kernel/ -R
  rm -Rf ./package/kernel/openwrt-r816/.git
  

• make defconfig to set default config for build system and device.

• make menuconfig again and modify set of package (install = *)

  • for opkg download compatibility:
    • select: Advanced configuration options
    • select: Global build settings → Select all kernel module packages by default
    • __de__select: Global build settings → Kernel build options → Compile the kernel with symbol table information
    • fill builder: Global build settings → Kernel build options → Custom Kernel Build User Name
    • fill buildhost: Global build settings → Kernel build options → Custom Kernel Build Domain Name
  • Network: add packet map (for Free 4rd)
  • Kernel Modules -> Network Devices remove kmod-r8169, add kmod-r8168

• scripts/diffconfig.sh > mydiffconfig (save your changes in the text file mydiffconfig).

my entries selected in menuconfig

• Advanced configuration options

  • Use ccache (to be tested), for faster, cached openWrt recompilations

• target images

  • only squashfs
  • Kernel partition size: 128
  • Root filesystem partition size: 55000

• Global build settings

  • Select all kernel module packages by default
  • Kernel build options
    • Custom Kernel Build User Name: builder
    • Custom Kernel Build User Name: buildhost
    • deselect: Compile the kernel with symbol table information

• Administration: htop

• Kernel modules

  • Filesystems: kmod-fs [cifs | exfat | ext4 | msdos | nfs | nfs-v3 | nfs-v4 | nfsd | ntfs | squashfs | fuse]
  • Native Language Support: nls-iso8859-15
  • Netfilter Extensions: conntrack-extra,
  • Network Devices: __de__select kmod-r8169 ; add kmod-r8168
  • Network Support: kmod-wireguard
  • Other modules: kmod-bluetooth, kmod-mmc,
  • USB Support: usb-net, usb-net-cdc-ether, usb2, usb3

• LuCI

  • Collections: luci-ssl-nginx
  • Modules: luci-mod-dashboard, luci-mod-rpc
  • Applications: luci-app-acme,luci-app-adblock,luci-app-banip, luci-app-dockerman,luci-app-https-dns-proxy,luci-app-minidlna,luci-app-statistics,luci-app-upnp,luci-app-wireguard,luci-app-wol
  • Themes: luci-theme-material
  • Protocols: luci-proto-wireguard

Note: LuCI/luci-app-samba4, Network/samba4-utils, ... makes compilation fail

• Mail ? (not yet, to be tested)

  • dovecot, dovecot-pigeonhole, dovecot-utils
  • dovecot build options: GSSAPI, SQLite, i18n
  • emailrelay

• Network

  • File Transfer: curl, rsync, wget-ssl
  • Filesystem: sshfs
  • Firewall: conntrack, iptables-mod-conntrack-extra, iptables-mod-extra,
  • NMAP Suite: ncat,, nmap
  • Routing and Redirection: ip-full, nstat,
  • VPN: wireguard-tools
  • Version Control Systems: git, git-http
  • Web Servers/Proxies
    • nginx-ssl configuration ---> Enable Lua module
  • arp-scan: arp-scan
  • map, acme, cifsmount, etherwake, ethtool, fping, ifstat, iftop, iperf3, iptraf-ng, iputils-ping, net-tools-route, netcat, odhcpd-ipv6only, samba4-utils (makes compilation fail), smbinfo, wakeonlan,

• Utilities

  • bluez-utils, dmesg, docker, docker-compose, dockerd, findutils, gawk, hwinfo, inotifywait, inotifywatch, jq, kmod, less, lm-sensors, lscpu, lsof, more, moreutils, or podman, pv, sed, smartmontools, stress-ng, tar, tracertools, usbutils, usb-modeswitch (for Huawei 4G USB), whereis, which, whois, `
  • Compression: bzip2, gzip, lz4, unrar, unzip, xz-utils
  • Database: sqlite3-cli
  • Disc: cfdisk, hdparm, lsblk
  • Editors: nano, vim-full
  • Encryption: certtool, cryptsetup
  • Filesystem: exfat-mkfs, f2fs-tools, nfs-utils, ntfs-3g, resize2fs, squashfs-tools-mksquashfs, squashfs-tools-unsquashfs,
  • Shells: bash
  • Terminal: screen, tmux
  • Zoneinfo: zoneinfo-europe

dockerd dependencies: kmod-crypto-acompress kmod-lib-lzo kmod-lib-zlib-inflate kmod-lib-zlib-deflate kmod-lib-raid6 kmod-lib-xor kmod-lib-zstd kmod-fs-btrfs kmod-br-n etfilter kmod-ikconfig kmod-nf-ipvs kmod-veth

build

build with explicitely specifying first the download action, to avoid simple make fail when multi-core option is set.

if build fails, re-run make without multi-core options (aka -j 1)

make -j13 download && make -j13 world

After build, output images can be found in subdirectory bin/targets/rockchip/armv8/

build errors

ERROR: package/libs/gettext-full [host] failed to build.

• cf. https://bugs.openwrt.org/index.php?do=details&task_id=77
• fix by make package/gettext-full/host/clean && make V=s package/gettext-full/host/compile

ERROR: package/feeds/packages/samba4 [host] failed to build.

• Network/samba4-utils, ... makes compilation fail ; remove it.

write on SD card.

gunzip and write on SD card the SQUASHFS generated image: ./bin/targets/rockchip/armv8/openwrt-rockchip-armv8-friendlyarm_nanopi-r4s-squashfs-sysupgrade.img

access

ssh

• after fresh install, connect on LAN port: ssh [email protected] (no password)

config nanopi r4s:

4rd traffic mapping

For 4rd (=encapsulation of IPv4 traffic into IPv6 packets):

• install the package map (better: include in compiled image)

  edit /lib/netifd/proto/map.sh

line 66, replace:

echo "$RULE_DATA" >> /tmp/map-$cfg.rules
eval $RULE_DATA

with (replace xxxx:xxxx:xxxx by your own IPv6)

echo "$RULE_DATA" >> /tmp/map-$cfg.rules
  [ -z "${RULE_DATA##*2a01:xxxx:xxxx:xxxx::fffd*}" ] && sed -i "s/RULE_1_IPV6ADDR=.*/RULE_1_IPV6ADDR=${ip6prefix%?}0:ffff:ffff:0/" /tmp/map-$cfg.rules
  RULE_DATA=`cat "/tmp/map-$cfg.rules"`
eval $RULE_DATA

line 130 replace:

• proto_add_ipv4_route "0.0.0.0" 0
• with [ ! -z "${RULE_DATA##*2a01:xxxx:xxxx:xxxx::ffff*}" ] && proto_add_ipv4_route "0.0.0.0" 0

wan6 configuration

_/!\ /!\ /!\ for the moment, eth0 promiscuous mode is mandatory (cf. below) /!\ /!\ /!_

full /etc/config/network:

config interface 'loopback'
	option ifname 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'xxxx:xxxx:xxxx::/48'

config interface 'lan'
	option type 'bridge'
	option ifname 'eth1'
	option proto 'static'
	option ip6assign '60'
	list dns '8.8.8.8'
	list dns '8.8.4.4'
	list dns '9.9.9.9'
	option ipaddr '192.168.0.254'
	option netmask '255.255.255.0'

config device 'lan_eth1_dev'
	option name 'eth1'
	option macaddr 'xx:xx:xx:xx:xx:xx:xx:xx'

config interface 'wan'
	option ifname 'eth0.836'                 # L'interface sur laquel le tunnel va communiquer
	option delegate '0'                      # On desactive l'integration de l'IPv6 automatique sur cette interface, car on est en IPv4
	option tunlink 'wan6'                    # On remet l'interface sur laquel il communique
	option proto 'map'                       # Le protocole
	option type 'map-e'                      # Le sous-protocole (map-e pour nous, pas lw6over4)
	option peeraddr '2a01:xxxx:xxxx:xxxx::fffd' # L'adresse du tunnel cote serveur
	option ipaddr 'xx.xx.xx.xx'              # L'ip full stack qui vous a ete attribue et qui se trouve sur votre espace client
	option ip4prefixlen '32'                 # Le prefixe de l'IP
	option ip6prefix '2a01:xxxx:xxxx:xxxx::'    # la plage/prefix IPv6 fournie par Free
	option ip6prefixlen '60'                 # La longueur du prefix
	option encaplimit 'ignore'               # pas d'encapsulation limit
	option defaultroute '1'                  # definir comme route par defaut
# no, don't force MTU (*)
# option mtu '1500'

	# defini, le nombre de port attribues, rang, etc... ici pour du full-stack.
	option ealen '32'
	option psidlen '1'
	option offset '16'
	option psid '65535'

config interface 'wan6_4'
  option delegate '0'                     # Pas d'IPv6
  option defaultroute '0'                 # On ne definit pas comme route par defaut
  option proto 'static'                   # On lui dit que c'est une adresse static(le protocole map s'occupera de faire le lien)
  option force_link '0'                   # pas besoin de forcer le lien
  list ipaddr 'xx.xx.xx.xx/32'            # Votre adresse IP ephemere.


config interface 'wan6'
  option ifname 'eth0.836'                # Correspond au num..ro de l'interface dans le routeur g..n..ralement 0 pour le WAN, parfois 1 suivi du vlan de Free.
  option proto 'dhcpv6'                   # correspond au protocole. Ici, du dhcpv6 standard.
  option reqprefix 'auto'                 # On le laisse demander la plage IPv6 obtenu (normalement un /60)
  option reqaddress 'try'                 # On laisse en try pas besoin de forcer la requete
  option macaddr 'xx:xx:xx:xx:xx:xx'      # On change l...adresse MAC du routeur pour celui de la freebox
  list dns '2001:4860:4860::8888'         # On attribue les dns IPv6 de google.
  option peerdns '0'                      # On refuse les dns Free.
# no, don't force MTU (*)
# option mtu '1700'                       # On augmente le mtu standard a 1700, pour encapsuler l'IPv4

# (*) don't force MTU, leave openwrt set its own automatically
# because 1700 on wan6 won't be really set and the value of 1500 of ipv4 will make HTTPS SSL handshake fail

add /etc/init.d/promiscuous & enable service

#!/bin/sh /etc/rc.common
START=19
STOP=15
 
start() {        
  echo start
	ifconfig eth0 promisc
}                 
 
stop() {          
  echo stop
}

• to start immediatly: /etc/init.d/promiscuous start
• to enable auto-run at boot: /etc/init.d/promiscuous enable