What's new

AICCU support for merlin firmware

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

probutus

New Around Here
Thank you very much for this great firmware modification.

I was searching around a little bit if anyone already had added support for aiccu, which is a special IPv6 tunnelling software provided from Sixxs:

http://www.sixxs.net/archive/sixxs/aiccu/unix/aiccu_current.tar.gz

I already managed to have aiccu integrated in your most recent source tree; it compiles and works just fine , the only thing I did not manage to find out is how to add a new menu entry for Aiccu in the IPv6 tab and to generate the configuration file based on the given input.

The configuration info is pretty simple:

username string
password string
tunnelid string
use TLS boolean

AICCU needs to be started after the timebase via NTP has been received. I searched in the source tree and found out that Asus does the complete startup handling in C code. Is there an easier way to start the daemon dependant on the availability of a valid system time?
 

Attachments

  • aiccu_20070115.patch.zip
    3.6 KB · Views: 158
I would put it in wan-start, giving it a sleep 10 delay to give it time to finalize things such as setting up the clock.

Fully integrating would require code to be added to the rc service. Not something that simple.
 
Thanks for the hint but the problem then is that I can't start radvd manually (since the admin user is not named "root") it rants about incorrect privileges for radvd.conf. Unfortunately, I can't enable radvd without having some option chosen from the ipv6 menu...

By the way: I managed to compile mini_fo for the router and mounted the www directory as overlay filesystem; so I could easily manipulate the asp-files :cool:

I have an adapted Advanced_IPv6_Config.asp which already contains the correct forms. I have seen how the values are read from the NVRAM for displaying. What I did not yet find out is how the files are stored when I click the commit button.. Can you give me a hint?

EDIT: attached mini_fo modules: docs are here http://www.denx.de/wiki/Know/MiniFOFAQ
Please rename attachment from .pdf to .zip
 

Attachments

  • mini_fo.zip.pdf
    283.3 KB · Views: 183
Last edited:
Thanks for the hint but the problem then is that I can't start radvd manually (since the admin user is not named "root") it rants about incorrect privileges for radvd.conf.

Just specify the username to use:

radvd -u admin
 
Great job, but could you please give a hint who I can integrate this on my own?
I more than happy to make the build after several experiments.

Number of gids 0
ctools/trx -o image/linux-lzma.trx lzma-loader/loader.gz ctools/vmlinuz-lzma ctools/target.squashfs
warning: increasing offset 2699 to 2700
ctools/trx_asus -i image/linux-lzma.trx -r RT-N16,3.0.0.4,image/RT-N16_3.0.0.4_264.23.trx



Creating ASUS RT-N16 firmware to image/RT-N16_3.0.0.4_264.23.trx

TRX Image:
Total Size .... : 24363008 (23792.0 KB) (23.2 MB)
CRC-32 ........ : 9B798E46


make[2]: Leaving directory `/home/tom/asuswrt-merlin/release/src-rt'
make[1]: Leaving directory `/home/tom/asuswrt-merlin/release/src-rt'
root@bbx0667:/home/tom/asuswrt-merlin/release/src-rt#

BTW, AICCU launch is a liitle bit tricky (be aware of the ntp). I maintain i.e. the OpenBSD AICCU wiki on sixxs. After several experiments with DD-WRT, OpenWRT, FreeBSD and OpenBSD I now playing with Merlin ;->

Next question is where to place the configuration data to survive a reboot?
In addition with a adopted ip6tables configuration.


F41THR

Looks like that this is feasable on the standard ASUS firmware, too.

admin@RT-N16:/tmp# ./aiccu
aiccu (start|stop|brokers|tunnels|test|autotest|license|version) [<configfile>]
 
Last edited:
Great job, but could you please give a hint who I can integrate this on my own?
I more than happy to make the build after several experiments.

First, you have to download the patches I submitted in the first post and the full aiccu_20070115.tar.gz file from sixxs; extract this tar.gz archive into release/src/router

then you change in this directory and do a

patch -p1 < aiccu_20070115.patch

The second patch is in release/src/router/config:

patch -p1 < config.in.patch

Last but not least in release/src/router:

patch -p1 < release_src_router_Makefile.patch

If you do a "make" of the merlin firmware you will be prompted if you want to have aiccu support (this is because I did not add this option into the configuration yet)

The released firmware then contains the aiccu binary in /usr/sbin

I searched everywhere and I could not find the aiccu package, this is why I compiled it on my own ;-)

Next question is where to place the configuration data to survive a reboot?
In addition with a adopted ip6tables configuration.

I created the jffs partition and put the radvd.conf and the aiccu.conf into /jffs/configs. I also extended the webfrontent to have an additional menu for aiccu but I dont have a clue yet how to persist the forms contents into the nvram... (@RMerlin: do you have a hint for me?)

Here's my start_aiccu.sh:
#!/bin/sh
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
aiccu start /jffs/configs/aiccu.conf

radvd -C /jffs/configs/radvd.conf -u admin

# First, delete all:
ip6tables -F
ip6tables -X

# Allow anything on the local link
ip6tables -A INPUT -i lo -j ACCEPT
ip6tables -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
ip6tables -A OUTPUT -o sixxs -j ACCEPT
# Allow established, related packets back in
ip6tables -A INPUT -i sixxs -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
ip6tables -A INPUT -i br0 -j ACCEPT
ip6tables -A OUTPUT -o br0 -j ACCEPT

# Filter all packets that have RH0 headers:
ip6tables -A INPUT -m rt --rt-type 0 -j DROP
ip6tables -A FORWARD -m rt --rt-type 0 -j DROP
ip6tables -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow Link-Local addresses
ip6tables -A INPUT -s fe80::/10 -j ACCEPT
ip6tables -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
ip6tables -A INPUT -d ff00::/8 -j ACCEPT
ip6tables -A OUTPUT -d ff00::/8 -j ACCEPT

# Allow ICMPv6 everywhere
ip6tables -I INPUT -p icmpv6 -j ACCEPT
ip6tables -I OUTPUT -p icmpv6 -j ACCEPT
ip6tables -I FORWARD -p icmpv6 -j ACCEPT

# Allow forwarding
ip6tables -A FORWARD -m state --state NEW -i br0 -o sixxs -s XXXX:XXXX:XXXX::/64 -j ACCEPT
ip6tables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# SSH in
ip6tables -A FORWARD -i sixxs -p tcp -d XXXX:XXXX:XXXX::XXXX:XXXXX:XXXX --dport 22 -j ACCEPT

# Bittorrent
ip6tables -A FORWARD -i sixxs -p tcp -d XXXX:XXXX:XXXX::XXXX:XXXXX:XXXX --dport 33600:33604 -j ACCEPT

# Set the default policy
ip6tables -P INPUT DROP
ip6tables -P FORWARD DROP
ip6tables -P OUTPUT DROP
I can start aiccu and ping e.g. heise.de from the router but from my laptop I cant reach the ipv6 internet (but got the correct subnet from radvd)..:confused:

Edit: add ip6tables config

Edit 2: If you like, I can provide you my binary which contains the latest merlin fw with aiccu included
 
Last edited:
For nvram values to work properly, you must define default values in shared/defaults.c .
 
For nvram values to work properly, you must define default values in shared/defaults.c .

That was it! Now I can see and save the values; I have seen that in the HTML document there is a reference to some script called "restart_allnet" which seems to be inside
release/src/router/rc/services.c

ipv6_aiccu_tls=0
ipv6_service=aiccu
ipv6_aiccu_pass=test2
ipv6_aiccu_tunnelid=test3
ipv6_aiccu_user=test


input type="hidden" name="action_script" value="restart_allnet"
 

Attachments

  • AICCU.png
    AICCU.png
    23.8 KB · Views: 476
Last edited:
That was it! Now I can see and save the values; I have seen that in the HTML document there is a reference to some script called "restart_allnet" which seems to be inside
release/src/router/rc/services.c




input type="hidden" name="action_script" value="restart_allnet"

Can you send me the patches for, I couldn't find this ;-<

At least we have to define in some source code that al thie can be set via the web interface. So far I have no clue where I find the settings you show in your post.

jffs seems to be OK, I made the patches so far.

username Username/Tunnel
password PASSWORD
protocol tic
server tic.sixxs.net
ipv6_interface interfacename
verbose true
daemonize true
automatic true
requiretls false
defaultroute true


:confused:
F41THR
 
Can you send me the patches for, I couldn't find this ;-<

F41THR

patches are in the zip file (this time we have 2 files):

in src/router/shared

patch -p1 < src_router_shared_defaults_c.patch

in

in src/router/www

patch -p1 <src_router_www.patch

The first patch adds the contents to the nvram default values and the second patch enhances the IPv6 page
 

Attachments

  • asuswrt_2nd_patchset.zip
    1.6 KB · Views: 144
Update

Confirmed: ASUS RT-N16 works fine with Merlin Firmware.
Might have some issue I'll report later.

With support from Protubus, we made AICCU integration.
After a few mails between Protubus and me I finally made it. And I have some recommendations on FW security. See script below.
(Manual load of contrack and logging). This is not the final one, a more sophisticated will be made availiabel later this month.

Following my experience with pf on OpenBSD, it can be simplified later on! Even with ip6tables!

So primarily thank to Merlin for the Merlin Firmware of ASUS Routers and then to Protubus for the AICCU integration.

cu F41THR

#!/bin/sh
echo 0 > /proc/sys/net/ipv6/conf/default/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/default/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/disable_ipv6
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
aiccu start /jffs/configs/aiccu.conf
ifconfig br0 2001:XXXX:XXXX::1/64
radvd -C /jffs/configs/radvd.conf -u admin

#
# !!!!! load conntrack manuell
#
insmod /lib/modules/2.6.22.19/kernel/net/ipv6/netfilter/nf_conntrack_ipv6.ko

# Definitions
IP6TABLES='/usr/sbin/ip6tables'

WAN_IF='sixxs'
LAN_IF='br0'

SUBNETPREFIX='2001:4dd0:ff00:8ab8::/48'
MYTUNNEL='2001:4dd0:ff00:ab8::2'
SIXXSTUNNEL='2001:4dd0:ff00:ab8::1'


$IP6TABLES -F INPUT
$IP6TABLES -F OUTPUT
$IP6TABLES -F FORWARD

$IP6TABLES -F
$IP6TABLES -X

# DROP all incomming traffic
$IP6TABLES -P INPUT DROP
$IP6TABLES -P OUTPUT DROP
$IP6TABLES -P FORWARD DROP

# Filter all packets that have RH0 headers:
$IP6TABLES -A INPUT -m rt --rt-type 0 -j DROP
$IP6TABLES -A FORWARD -m rt --rt-type 0 -j DROP
$IP6TABLES -A OUTPUT -m rt --rt-type 0 -j DROP

# Allow anything on the local link
$IP6TABLES -A INPUT -i lo -j ACCEPT
$IP6TABLES -A OUTPUT -o lo -j ACCEPT

# Allow anything out on the internet
$IP6TABLES -A OUTPUT -o $WAN_IF -j ACCEPT
# Allow established, related packets back in
#ip6tables -A INPUT -i sixxs -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow the localnet access us:
$IP6TABLES -A INPUT -i $LAN_IF -j ACCEPT
$IP6TABLES -A OUTPUT -o $LAN_IF -j ACCEPT

# Allow Link-Local addresses
$IP6TABLES -A INPUT -s fe80::/10 -j ACCEPT
$IP6TABLES -A OUTPUT -s fe80::/10 -j ACCEPT

# Allow multicast
$IP6TABLES -A INPUT -d ff00::/8 -j ACCEPT
$IP6TABLES -A OUTPUT -d ff00::/8 -j ACCEPT

# Paranoia on ipv6 interface
$IP6TABLES -I INPUT -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p tcp --syn -j DROP
$IP6TABLES -I INPUT -i $WAN_IF -p udp -j DROP
$IP6TABLES -I FORWARD -i $WAN_IF -p udp -j DROP

# Allow forwarding on ipv6 interface
$IP6TABLES -A FORWARD -m state --state NEW -i $LAN_IF -o $WAN_IF -s $SUBNETPREFIX -j ACCEPT
$IP6TABLES -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow some special ICMPv6 packettypes, do this in an extra chain because we need it everywhere
$IP6TABLES -N AllowICMPs
# Destination unreachable
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 1 -j ACCEPT
# Packet too big
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 2 -j ACCEPT
# Time exceeded
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 3 -j ACCEPT
# Parameter problem
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 4 -j ACCEPT
# Echo Request (protect against flood)
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 128 -m limit --limit 5/sec --limit-burst 10 -j ACCEPT
# Echo Reply
$IP6TABLES -A AllowICMPs -p icmpv6 --icmpv6-type 129 -j ACCEPT
# Link in tables INPUT and FORWARD (in Output we allow everything anyway)
$IP6TABLES -A INPUT -p icmpv6 -s $SIXXSTUNNEL -d $MYTUNNEL -j AllowICMPs

# SSH in
##$IP6TABLES -A FORWARD -i sixxs -p tcp -d <subnet-prefix>::5 --dport 22 -j ACCEPT

# Log
$IP6TABLES -A INPUT -j LOG --log-prefix "IPv6-INPUT:"
$IP6TABLES -A FORWARD -j LOG --log-prefix "IPv6-FORWARD:"
$IP6TABLES -A OUTPUT -j LOG --log-prefix "IPv6-OUTPUT:"

Replace

SUBNETPREFIX='your-prefix/48'
MYTUNNEL='see Your IPv6 on SIXXS'
SIXXSTUNNEL='see Pop IPv6 on SIXXS'

with your settings.
 
Last edited:
I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...
 
I'm currently having a hell of a time with integrating aiccu into rc... RMerlin was absolutely right that this would be the "fun part"....

Is there a chance to configure the IPv4/IPv6 firewall rules via webinterface?
Starting and stopping aiccu is one thing but having a customizable firewall is another...

Maybe I'm completely wrong, but have a look at jffs. Custom scripts can be placed there. aiccu and ipv6 FW can be configured per ssh. An autolauncher during startup make sense but everything else can be handled per ssh.

This is similar with impementations on OpenWRT, DD-WRT, etc...
SIXXS and AICCU is not such popular that ie. vendors spend much effort to integrate this. Look at Manual Kaspers M0n0wall, there you have a full web based integration.

But to have a look at rc coud be interessting I start to look into that, too.
Some ideas on that:

It could be much easier to create and add a few handsome static scripts in
~/asuswrt-merlin/release/src-rt/router/rc/ to launch ie. aiccu, radvd and the firewall. Or one script launchig all together.

The related config files can be placed either in jffs or /mnt/sda1/etc/config/
Scripts check if a config file exist and will be fired up. So there is no need to place defaults in NVRAM.
A feasable place for scripts is /etc/rc.d/

Question is how a script can be integrated, but this is an option of the Makefile in ../router

I just have an deeper look into the ip6tables configuration and I'll place an updated version soon (see also SIXXS WIKI later on).



Regards

F41THR
 
Last edited:

Similar threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top