1199 lines
28 KiB
HTML
1199 lines
28 KiB
HTML
|
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
|
||
|
<HTML
|
||
|
><HEAD
|
||
|
><TITLE
|
||
|
>Linksys Blue Box Router HOWTO</TITLE
|
||
|
><META
|
||
|
NAME="GENERATOR"
|
||
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD
|
||
|
><BODY
|
||
|
CLASS="article"
|
||
|
BGCOLOR="#FFFFFF"
|
||
|
TEXT="#000000"
|
||
|
LINK="#0000FF"
|
||
|
VLINK="#840084"
|
||
|
ALINK="#0000FF"
|
||
|
><DIV
|
||
|
CLASS="ARTICLE"
|
||
|
><DIV
|
||
|
CLASS="TITLEPAGE"
|
||
|
><H1
|
||
|
CLASS="title"
|
||
|
><A
|
||
|
NAME="AEN2"
|
||
|
></A
|
||
|
>Linksys Blue Box Router HOWTO</H1
|
||
|
><H3
|
||
|
CLASS="author"
|
||
|
><A
|
||
|
NAME="AEN4"
|
||
|
>Eric Steven Raymond</A
|
||
|
></H3
|
||
|
><DIV
|
||
|
CLASS="affiliation"
|
||
|
><SPAN
|
||
|
CLASS="orgname"
|
||
|
><A
|
||
|
HREF="http://www.catb.org/~esr/"
|
||
|
TARGET="_top"
|
||
|
>Thyrsus Enterprises</A
|
||
|
><BR></SPAN
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="revhistory"
|
||
|
><TABLE
|
||
|
WIDTH="100%"
|
||
|
BORDER="0"
|
||
|
><TR
|
||
|
><TH
|
||
|
ALIGN="LEFT"
|
||
|
VALIGN="TOP"
|
||
|
COLSPAN="3"
|
||
|
><B
|
||
|
>Revision History</B
|
||
|
></TH
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 2.3</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2006-08-12</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Minor update. Announce End of HOWTO maintainance.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 2.3</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2006-05-19</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Revised the list of open firmware distributions, and other minor
|
||
|
corrections.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 2.2</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2005-12-01</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Removed the suggestion that Cisco be boycotted over the Lynn
|
||
|
firing, as the lawsuit seems to have been settled on satisfactory
|
||
|
terms. Added advice to get the WRTG54l.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 2.1</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2005-07-28</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Added the suggestion that Cisco be boycotted over the Lynn firing.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 2.0</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2005-01-18</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Major update to reflect changes in 2.x and 3.x firmware.
|
||
|
More firmware replacements described. Dropped Hansen Online
|
||
|
as it hasn't been updated in a while.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.6</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2004-02-26</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Added Link-n-Log</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.5</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2003-07-31</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Added the Seattle wireless.net link.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.4</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2003-07-03</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Linksys has released source code.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.3</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2003-06-08</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Added notes about SNMP security problems, casemodding, Linksys
|
||
|
tech support. The Linksys turns out to have Linux inside.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.2</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2003-04-29</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Typo corrections.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.1</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2003-04-25</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Added link to the linksysmon project. More configuration tips.</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revision 1.0</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>2003-04-09</TD
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
>Revised by: esr</TD
|
||
|
></TR
|
||
|
><TR
|
||
|
><TD
|
||
|
ALIGN="LEFT"
|
||
|
COLSPAN="3"
|
||
|
>Initial release, reviewed by LDP.</TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
></DIV
|
||
|
><DIV
|
||
|
><DIV
|
||
|
CLASS="abstract"
|
||
|
><A
|
||
|
NAME="AEN72"
|
||
|
></A
|
||
|
><P
|
||
|
></P
|
||
|
><P
|
||
|
>Linksys makes a line of cheap, ubiquitous router/firewall boxes
|
||
|
(models BEFSR41 and up, including the WRT54G) well-suited for use on a home
|
||
|
DSL connection and popular among Linux hackers. This HOWTO gives hints and
|
||
|
tips for managing Linksys routers from a Linux system, including the
|
||
|
firmware upgrade procedure.</P
|
||
|
><P
|
||
|
><EM
|
||
|
>This HOWTO is no longer actively maintained,
|
||
|
because as of 12 Oct 2006 the author is no longer a Linksys
|
||
|
user.</EM
|
||
|
> Time and technology nmarch on, and I now have a much
|
||
|
fancier router in my basement that came with my optical-fiber service. If
|
||
|
you are qualified and interested in taking it over, contact me.</P
|
||
|
><P
|
||
|
></P
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><HR></DIV
|
||
|
><DIV
|
||
|
CLASS="TOC"
|
||
|
><DL
|
||
|
><DT
|
||
|
><B
|
||
|
>Table of Contents</B
|
||
|
></DT
|
||
|
><DT
|
||
|
>1. <A
|
||
|
HREF="#introduction"
|
||
|
>Introduction</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><DL
|
||
|
><DT
|
||
|
>1.1. <A
|
||
|
HREF="#purpose"
|
||
|
>Why this document?</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>1.2. <A
|
||
|
HREF="#newversions"
|
||
|
>New versions of this document</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>1.3. <A
|
||
|
HREF="#license"
|
||
|
>License and Copyright</A
|
||
|
></DT
|
||
|
></DL
|
||
|
></DD
|
||
|
><DT
|
||
|
>2. <A
|
||
|
HREF="#howandwhen"
|
||
|
>How and where to deploy</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>3. <A
|
||
|
HREF="#lostmanual"
|
||
|
>Lost the manual?</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>4. <A
|
||
|
HREF="#confighints"
|
||
|
>Configuration hints</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>5. <A
|
||
|
HREF="#upgradingfirmware"
|
||
|
>Upgrading the firmware</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>6. <A
|
||
|
HREF="#AEN203"
|
||
|
>Hacking the hardware</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>7. <A
|
||
|
HREF="#AEN207"
|
||
|
>Hacking the software</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>8. <A
|
||
|
HREF="#Utilities"
|
||
|
>Utilities</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>9. <A
|
||
|
HREF="#ts-tips"
|
||
|
>Troubleshooting tips</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><DL
|
||
|
><DT
|
||
|
>9.1. <A
|
||
|
HREF="#catatonia"
|
||
|
>Occasional catatonia and epilepsy</A
|
||
|
></DT
|
||
|
><DT
|
||
|
>9.2. <A
|
||
|
HREF="#mozillaquirks"
|
||
|
>Mozilla interface quirks under 1.38 and earlier firmware</A
|
||
|
></DT
|
||
|
></DL
|
||
|
></DD
|
||
|
><DT
|
||
|
>10. <A
|
||
|
HREF="#resources"
|
||
|
>Related Resources</A
|
||
|
></DT
|
||
|
></DL
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="introduction"
|
||
|
></A
|
||
|
>1. Introduction</H1
|
||
|
><DIV
|
||
|
CLASS="sect2"
|
||
|
><H2
|
||
|
CLASS="sect2"
|
||
|
><A
|
||
|
NAME="purpose"
|
||
|
></A
|
||
|
>1.1. Why this document?</H2
|
||
|
><P
|
||
|
>Linksys makes a line of cheap, ubiquitous router/firewall boxes
|
||
|
well-suited for use on a home DSL or cable connection and popular among Linux
|
||
|
hackers. This HOWTO gives hints and tips for managing Linksys routers
|
||
|
from a Linux system.</P
|
||
|
><P
|
||
|
>The specific recipes described here are derived from long experience
|
||
|
with a BEFSR41, the 4-port router/firewall box. I have also configured a
|
||
|
BEFW11S4v2, the 4-port router with 80211b wireless, and the WRT54G, which
|
||
|
is the same box with 80211g; I'm currently using a WRT54G. The web
|
||
|
interfaces on all these blue boxes are very similar, and most of the advice
|
||
|
should generalize.</P
|
||
|
><P
|
||
|
>In late 2004 the Linksys firmware underwent a major upgrade to 2.x
|
||
|
(one easy way to spot this is the Cisco logo at the lower right). I
|
||
|
haven't seen anything but a WRT54G running the new interface, but I'd be
|
||
|
surprised if it weren't running on the BEFSR41 and kin as well. The
|
||
|
changes are largely cosmetic. Some problematic features in earlier
|
||
|
versions have been removed.</P
|
||
|
><P
|
||
|
>This HOWTO describes Linksys firmware version v2.02.7. At time of
|
||
|
writing (January 2005) the current Linksys firmware version is v.3.01.3.
|
||
|
<EM
|
||
|
>I do not recommend upgrading!</EM
|
||
|
> I've had a report that
|
||
|
enabling WEP on this version makes the box unable to talk to a Linux
|
||
|
machine over a cable.</P
|
||
|
><P
|
||
|
>Also note that if you go looking for one of these now, be sure to get
|
||
|
the WRT54GL — note the L suffix. At Version 5 and up, the vanilla
|
||
|
WRT54G is different hardware with less RAM that runs a proprietary
|
||
|
VxWorks OS.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect2"
|
||
|
><HR><H2
|
||
|
CLASS="sect2"
|
||
|
><A
|
||
|
NAME="newversions"
|
||
|
></A
|
||
|
>1.2. New versions of this document</H2
|
||
|
><P
|
||
|
>You can also view the latest version of this HOWTO on the World Wide Web
|
||
|
via the URL <A
|
||
|
HREF="http://www.tldp.org/HOWTO/Linksys-Blue-Box-Router-HOWTO.html"
|
||
|
TARGET="_top"
|
||
|
> http://www.tldp.org/HOWTO/Linksys-Blue-Box-Router-HOWTO.html</A
|
||
|
>.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect2"
|
||
|
><HR><H2
|
||
|
CLASS="sect2"
|
||
|
><A
|
||
|
NAME="license"
|
||
|
></A
|
||
|
>1.3. License and Copyright</H2
|
||
|
><P
|
||
|
>Copyright (c) 2003, Eric S. Raymond.</P
|
||
|
><P
|
||
|
>Permission is granted to copy, distribute and/or modify this document
|
||
|
under the terms of the GNU Free Documentation License, Version 1.2
|
||
|
or any later version published by the Free Software Foundation;
|
||
|
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
|
||
|
A copy of the license is located at <A
|
||
|
HREF="http://www.gnu.org/copyleft/fdl.html"
|
||
|
TARGET="_top"
|
||
|
>www.gnu.org/copyleft/fdl.html</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>Feel free to mail any questions or comments about this HOWTO to Eric
|
||
|
S. Raymond, <TT
|
||
|
CLASS="email"
|
||
|
><<A
|
||
|
HREF="mailto:esr@snark.thyrsus.com"
|
||
|
>esr@snark.thyrsus.com</A
|
||
|
>></TT
|
||
|
>. But please don't ask me
|
||
|
to troubleshoot your general networking problems; if you do, I'll just
|
||
|
ignore you.</P
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="howandwhen"
|
||
|
></A
|
||
|
>2. How and where to deploy</H1
|
||
|
><P
|
||
|
>The Linksys BEFSR41, BEFW11, WRT54G and their siblings are designed
|
||
|
to be used as gateway boxes on a home Ethernet. Typically, you'll hook one
|
||
|
up to a DSL or cable modem, which will automatically switch into bridge
|
||
|
mode and simply pass packets between your ISP's router and the Linksys box.
|
||
|
</P
|
||
|
><P
|
||
|
>If you want to use a general-purpose PC running Linux as a firewall,
|
||
|
have fun — but these little boxes are more efficient. The nicest
|
||
|
thing about them is that they run out of firmware and, assuming you take
|
||
|
the elementary precautions we describe, are too stupid to be cracked.
|
||
|
Also, they don't generate fan noise or heat. Finally, they run Linux
|
||
|
inside and can be customized and hacked in useful ways.</P
|
||
|
><P
|
||
|
>Linksys boxes used to have a good reputation for reliability.
|
||
|
Something bad happened to their quality control after Cisco acquired the
|
||
|
company in March 2003; I had two go silently dead on me in less than a
|
||
|
year, and I heard grumbling from others about similar problems.
|
||
|
Unfortunately when I tried other low-end brands (Belkin, Buffalo) they
|
||
|
proved to have gross design errors. The Belkin had brain-damage in its
|
||
|
firewall rules that interfered with local SMTP, and the Buffalo
|
||
|
intermittently refused connections for no apparent reason. So I went back
|
||
|
with Linksys, hoping my WRT54G wouldn't turn into a doorstop within a couple
|
||
|
of months. As of mid-2006, I've been OK for about 24 months.</P
|
||
|
><P
|
||
|
>(Building one of these puppies is not rocket science. I can only
|
||
|
conjecture that the competitive pressure is driving the manufacturers to cut
|
||
|
costs to the bone by hiring programmers out of the bottom of the barrel
|
||
|
and having the manufacturing done by some low-end contract house
|
||
|
in Indonesia or somewhere. The results, alas, tend to be unstable
|
||
|
crap. Caveat emptor.)</P
|
||
|
><P
|
||
|
>Note another consequence of the Cisco acquisition: Linksys is now
|
||
|
what marketers call a flank guard, a low-end brand designed to protect the
|
||
|
margins and brand image of Cisco's commercial-grade networking products.
|
||
|
This means that Linksys boxes are no longer acquiring new firmware
|
||
|
features, and some old ones like stateful packet inspection almost
|
||
|
certainly won't be coming back. Provided you can live within these limits,
|
||
|
this is actually good; simpler firmware is more stable firmware. And, in
|
||
|
any case, the open-source replacement firnwares can give you back the
|
||
|
features abd complexity if you want them.</P
|
||
|
><P
|
||
|
>At minimum, a live Linksys box will do the following things for
|
||
|
you:</P
|
||
|
><P
|
||
|
></P
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Act as an Ethernet router.</EM
|
||
|
> You can
|
||
|
plug all your lines and hubs and hosts into it to exchange packets even
|
||
|
when your outside link is down.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Act as a smart gateway.</EM
|
||
|
> When you
|
||
|
configure the Linksys with a public static IP address (or tell it to grab a
|
||
|
dynamic IP address from your ISP at startup time), it will gateway between
|
||
|
hosts on your private network and the Internet, performing all the IP
|
||
|
masquerading and address translation required to route your traffic.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Firewall your connection.</EM
|
||
|
> You can
|
||
|
tell it to block out all but the minimum sevice channels you need. You can
|
||
|
specify separately, for each service, to which of your internal machines
|
||
|
the traffic should be routed.</P
|
||
|
></LI
|
||
|
></OL
|
||
|
><P
|
||
|
>I give my Linksys box the standard private-network gateway
|
||
|
address, 192.168.1.1. I then give all my boxes 192.168.1.x addresses
|
||
|
and tell them the Linksys is their gateway. Everything works.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="lostmanual"
|
||
|
></A
|
||
|
>3. Lost the manual?</H1
|
||
|
><P
|
||
|
>If you've lost the manual, or acquired a secondhand unit that doesn't
|
||
|
have one with it, never fear. Under the Help tab in older versions there
|
||
|
are links to the PDF and to the <A
|
||
|
HREF="http://linksys.com"
|
||
|
TARGET="_top"
|
||
|
>Linksys
|
||
|
corporate website</A
|
||
|
>. Newer versions have reference documentation
|
||
|
built into the firmware, a good thing if your net connection is
|
||
|
down.</P
|
||
|
><P
|
||
|
>Unfortunately, you're in trouble if you have to bring in Linksys tech
|
||
|
support. On the one occasion that I called them (in 2003), the first tech
|
||
|
I raised couldn't even speak English, and the second was barely competent
|
||
|
at it. Both were complete and utter idiots whose response to any
|
||
|
nontrivial question was to put me on infinite hold while they went
|
||
|
off to query someone else — and then garbled the answer. Judging
|
||
|
by their accents, my guess is that Linksys tech support has been outsourced
|
||
|
to some particularly benighted corner of the Third World.</P
|
||
|
><P
|
||
|
>I've heard somewhat better of their email support, but have not
|
||
|
tested it myself.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="confighints"
|
||
|
></A
|
||
|
>4. Configuration hints</H1
|
||
|
><P
|
||
|
>For security, do these things through the Linksys web interface
|
||
|
(probably at <A
|
||
|
HREF="http://192.168.1.1"
|
||
|
TARGET="_top"
|
||
|
>http://192.168.1.1</A
|
||
|
> on
|
||
|
your network):</P
|
||
|
><DIV
|
||
|
CLASS="procedure"
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Change your administrative
|
||
|
password.</EM
|
||
|
> On 15 June 2004 it was <A
|
||
|
HREF="http://slashdot.org/article.pl?sid=04/06/03/0337205&mode=thread&tid=137&tid=193&tid=215"
|
||
|
TARGET="_top"
|
||
|
>widely
|
||
|
reported</A
|
||
|
> that turning off the remote admin feature doesn't work
|
||
|
— you can still get at the administration page from the wireless
|
||
|
side. This bug is still present in the 2.02 firmware, October 2004. It
|
||
|
means that if you leave your password at default, any script kiddie can
|
||
|
break in, steal your WEP, and scramble your configuration. The Linksys
|
||
|
people get the moron medal with oak-leaf cluster for this screwup.</P
|
||
|
><P
|
||
|
>(I don't know if this bug is still present in the 3.x firmware. It
|
||
|
would be a good idea to check.)</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Make sure the DMZ host feature is
|
||
|
disabled</EM
|
||
|
>, under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Applications</SPAN
|
||
|
>+<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Gaming</SPAN
|
||
|
>-><SPAN
|
||
|
CLASS="guimenuitem"
|
||
|
>DMZ
|
||
|
Host</SPAN
|
||
|
>, or in newer
|
||
|
versions)<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Applications &
|
||
|
Gaming</SPAN
|
||
|
>-><SPAN
|
||
|
CLASS="guimenuitem"
|
||
|
>DMZ Host</SPAN
|
||
|
>. It
|
||
|
defaults off.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Port-forward specific services instead of
|
||
|
setting up a DMZ</EM
|
||
|
>, and as few of those as you can get away with.
|
||
|
A good minimum set is 22 (ssh), and 80 (http). If you want to receive mail
|
||
|
add 25 (smtp). If you need to serve DNS queries, add 53. To serve identd
|
||
|
so remote MTAs can verify your identity, enable 113.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable Universal Plug and
|
||
|
Play.</EM
|
||
|
> Look under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Password</SPAN
|
||
|
>. There is a radio
|
||
|
button for this under the <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"Password"</SPAN
|
||
|
> tab; newer firmware
|
||
|
versions put it under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Administration</SPAN
|
||
|
>+<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Management</SPAN
|
||
|
>.
|
||
|
<SPAN
|
||
|
CLASS="acronym"
|
||
|
>UPnP</SPAN
|
||
|
> is a notorious security hole in Windows, and up to
|
||
|
at least firmware version 1.44 there was a lot of Web scuttlebutt that the
|
||
|
Linksys implementation is flaky. While this won't affect operating systems
|
||
|
written by <EM
|
||
|
>competent</EM
|
||
|
> people, there is no point in
|
||
|
having traffic from a bunch of script-kiddie probes even reach your
|
||
|
network.</P
|
||
|
></LI
|
||
|
></OL
|
||
|
></DIV
|
||
|
><P
|
||
|
>There are two more steps for older firmware versions only. You can
|
||
|
ignore these if you have 2.x or later firmware.</P
|
||
|
><DIV
|
||
|
CLASS="procedure"
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable AOL Parental Controls.</EM
|
||
|
>
|
||
|
Make sure <SPAN
|
||
|
CLASS="guibutton"
|
||
|
>AOL Parental Controls</SPAN
|
||
|
> (under
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Security</SPAN
|
||
|
>) is turned off (off is
|
||
|
the default); otherwise the Linksys won't pass packets for your Unix box at
|
||
|
all. Newer versions of the firmware don't have this misfeature.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable Stateful Packet
|
||
|
Inspection.</EM
|
||
|
> If you want to run a server and are running
|
||
|
1.42 or earlier firmware, you also need to make sure stateful packet
|
||
|
inspection is off — this feature restricts incoming packets to those
|
||
|
associated with an outbound connection and is intended for heightened
|
||
|
security on client-only systems. On the
|
||
|
<SPAN
|
||
|
CLASS="guimenu"
|
||
|
>Filters</SPAN
|
||
|
> page, make sure
|
||
|
<SPAN
|
||
|
CLASS="guilabel"
|
||
|
>SPI</SPAN
|
||
|
> is off. If you don't see a radiobutton for SPI,
|
||
|
relax — the feature isn't present in all versions of the firmware,
|
||
|
and in fact was removed in 1.43 for stability reasons.</P
|
||
|
></LI
|
||
|
></OL
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="upgradingfirmware"
|
||
|
></A
|
||
|
>5. Upgrading the firmware</H1
|
||
|
><P
|
||
|
>Before you upgrade, here is a tip the documentation does not mention:
|
||
|
disconnect all the patch cables except the one from the machine you are
|
||
|
using to upgrade the box. Handling a lot of other network traffic while
|
||
|
the firmware load is going on can corrupt the firmware.</P
|
||
|
><P
|
||
|
>There are three ways you can upgrade your Linksys firmware.</P
|
||
|
><P
|
||
|
>One is to click the <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"Upgrade firmware"</SPAN
|
||
|
> link on the admin
|
||
|
page. Download the firmware image to the machine your browser runs on,
|
||
|
fill in the field that says <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"Please select a file to
|
||
|
upgrade:"</SPAN
|
||
|
>, click the Upgrade button, and have the right thing
|
||
|
happen. This is the least error-prone procedure and is recomended.</P
|
||
|
><P
|
||
|
>Another way is to use one of Linkys's firmware-upgrade floppy images
|
||
|
from their website. This requires that you boot Windows or use
|
||
|
WINE. Not recommended.</P
|
||
|
><P
|
||
|
>The third way is to use <SPAN
|
||
|
CLASS="application"
|
||
|
>tftp</SPAN
|
||
|
>. This is how
|
||
|
I did it the first time, before Linksys added the <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"Upgrade
|
||
|
firmware"</SPAN
|
||
|
> to the firmware, and I document it here for completeness
|
||
|
even though I now recommend their upgrade method. There is a tftp client
|
||
|
included with Red Hat Linux. To upgrade your firmware this way, do the
|
||
|
following steps:</P
|
||
|
><DIV
|
||
|
CLASS="procedure"
|
||
|
><OL
|
||
|
TYPE="1"
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Write down your settings.</EM
|
||
|
> The
|
||
|
firmware upgrade may wipe some of them. Older versions nuked
|
||
|
everything back to factory defaults; newer versions preserve
|
||
|
your basic settings but clear some advanced ones.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Download a copy of the new firmware.</EM
|
||
|
>
|
||
|
Follow the Downloads link from the Linkys main page. Note that
|
||
|
what you get may well be marked <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"For Windows Users"</SPAN
|
||
|
> and be a
|
||
|
zip archive. Open it in a scratch directory, because it will rudely create
|
||
|
several Windows files wherever you unpack it. The file you need will be
|
||
|
called <TT
|
||
|
CLASS="filename"
|
||
|
>CODE.BIN</TT
|
||
|
>.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Disable the router password.</EM
|
||
|
> Note
|
||
|
that every attempt I made to do this with Mozilla failed (both under 1.38
|
||
|
and 1.44). Konqueror worked fine, and Firefox works fine with the 2.x
|
||
|
firmware. Go to the Password tab, backspace over both sets of asterisks
|
||
|
until both the Password and Confirm fields are blank, and click
|
||
|
Apply.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Cross your fingers and load the
|
||
|
firmware.</EM
|
||
|
> The command session you want will to see will look
|
||
|
something like this, with your router's IP address substituted for
|
||
|
192.168.1.1:</P
|
||
|
><TABLE
|
||
|
BORDER="0"
|
||
|
BGCOLOR="#E0E0E0"
|
||
|
WIDTH="100%"
|
||
|
><TR
|
||
|
><TD
|
||
|
><FONT
|
||
|
COLOR="#000000"
|
||
|
><PRE
|
||
|
CLASS="screen"
|
||
|
> tftp 192.168.1.1
|
||
|
tftp> binary
|
||
|
tftp> put code.bin
|
||
|
Sent 386048 bytes in 10.3 seconds
|
||
|
tftp>
|
||
|
</PRE
|
||
|
></FONT
|
||
|
></TD
|
||
|
></TR
|
||
|
></TABLE
|
||
|
><P
|
||
|
>Don't panic if the client hangs for a bit before returning and
|
||
|
<EM
|
||
|
>do not abort the transfer</EM
|
||
|
>. The command is
|
||
|
writing to firmware, and the Linksys hasn't got much of a brain.
|
||
|
Wait for it to finish.</P
|
||
|
></LI
|
||
|
><LI
|
||
|
><P
|
||
|
><EM
|
||
|
>Re-enable your router password and other
|
||
|
settings.</EM
|
||
|
> You'll be able to tell the upgrade worked because
|
||
|
the firmware version number will have changed.</P
|
||
|
></LI
|
||
|
></OL
|
||
|
></DIV
|
||
|
><P
|
||
|
>You're done.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="AEN203"
|
||
|
></A
|
||
|
>6. Hacking the hardware</H1
|
||
|
><P
|
||
|
>Linksys boxes have firmware support for a serial console. The circuit
|
||
|
board has traces for two serial ports, but you have to do some fairly
|
||
|
serious modding to get them working. <A
|
||
|
HREF="http://www.rwhitby.net/wrt54gs/serial.html"
|
||
|
TARGET="_top"
|
||
|
>This page</A
|
||
|
> will
|
||
|
show you how.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="AEN207"
|
||
|
></A
|
||
|
>7. Hacking the software</H1
|
||
|
><P
|
||
|
>Linksys routers run Linux from firmware. Linksys supplies source
|
||
|
code on its site; look for "GPL Code Center" under technical
|
||
|
support.</P
|
||
|
><P
|
||
|
>There are several replacements for the WRT54G firmware. All
|
||
|
add certain common features such as (a) the capability to ssh into the
|
||
|
Linux running on the box, (b) European WiFi channels, and (c) VPN
|
||
|
service.</P
|
||
|
><P
|
||
|
></P
|
||
|
><DIV
|
||
|
CLASS="variablelist"
|
||
|
><DL
|
||
|
><DT
|
||
|
><A
|
||
|
HREF="https://sourceforge.net/projects/wifi-box/"
|
||
|
TARGET="_top"
|
||
|
>Wifi-Box</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><P
|
||
|
> Supports SNMP/mrtg. Said to have a good interface, convenient for home use.
|
||
|
</P
|
||
|
></DD
|
||
|
><DT
|
||
|
><A
|
||
|
HREF="http://www.sveasoft.com/modules/phpBB2/"
|
||
|
TARGET="_top"
|
||
|
>SveaSoft</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><P
|
||
|
> Intended for Wireless ISPs, lots of stuff for routing and repeater operation.
|
||
|
Open source, but you can buy support and private-release subscriptions.
|
||
|
This outfit has been slammed for GPL noncompliance and apparently lost
|
||
|
a lot of the good reputation it used to have.
|
||
|
</P
|
||
|
></DD
|
||
|
><DT
|
||
|
><A
|
||
|
HREF="http://dd-wrt.com"
|
||
|
TARGET="_top"
|
||
|
>DD-WRT</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><P
|
||
|
> A fork of the SveaSoft codebase from a few years back.
|
||
|
</P
|
||
|
></DD
|
||
|
><DT
|
||
|
><A
|
||
|
HREF="http://openwrt.org/"
|
||
|
TARGET="_top"
|
||
|
>OpenWRT</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><P
|
||
|
> Workbench for people who want to experiment with their own customizations.
|
||
|
Provides a framework and a set of modular packages supporting particular
|
||
|
features.
|
||
|
</P
|
||
|
></DD
|
||
|
><DT
|
||
|
><A
|
||
|
HREF="http://www.hyperdrive.be/hyperwrt/index.php?page=home-page"
|
||
|
TARGET="_top"
|
||
|
>HyperWRT</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><P
|
||
|
> Starts from the Linksys 3.01.3 firmware and adds a handful of features.
|
||
|
Might be useful for those comfortable with the Linksys interface.
|
||
|
</P
|
||
|
></DD
|
||
|
><DT
|
||
|
><A
|
||
|
HREF="http://www.batbox.org/wrt54g-linux.html"
|
||
|
TARGET="_top"
|
||
|
>http://www.batbox.org/wrt54g-linux.html</A
|
||
|
></DT
|
||
|
><DD
|
||
|
><P
|
||
|
> Another hacker's workbench, this one runs from RAMdisk so you don't have to
|
||
|
reflash the box. Thus there's no chance of trashing your router. The
|
||
|
disadvantage is that it has to be reloaded each time after you power-cycle.
|
||
|
</P
|
||
|
></DD
|
||
|
></DL
|
||
|
></DIV
|
||
|
><P
|
||
|
>Any of these can be installed using the <A
|
||
|
HREF="#upgradingfirmware"
|
||
|
>firmware upgrade procedures</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>Firmware for other Linksys hardware (notably the WAP54G) can be found
|
||
|
<A
|
||
|
HREF="http://www.dslreports.com/faq/10537"
|
||
|
TARGET="_top"
|
||
|
>here</A
|
||
|
> and <A
|
||
|
HREF="http://www.linksysinfo.org/modules.php?name=Downloads&d_op=viewdownload&cid=15"
|
||
|
TARGET="_top"
|
||
|
>here</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>For a look at the techniques used to develop these firmware
|
||
|
alternatives, there's an interesting site on <A
|
||
|
HREF="http://seattlewireless.net/index.cgi/LinksysWrt54g"
|
||
|
TARGET="_top"
|
||
|
>hacking the
|
||
|
Wrt54g</A
|
||
|
> by Seattle wireless.net.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="Utilities"
|
||
|
></A
|
||
|
>8. Utilities</H1
|
||
|
><P
|
||
|
>There is a Unix utility called <SPAN
|
||
|
CLASS="application"
|
||
|
>linksysmon</SPAN
|
||
|
>
|
||
|
that talks with these boxes via SNMP. Look at the <A
|
||
|
HREF="http://woogie.net/projects/linksysmon/"
|
||
|
TARGET="_top"
|
||
|
>Linksysmon project
|
||
|
site</A
|
||
|
>.</P
|
||
|
><P
|
||
|
>Linksysmon is a tool for monitoring Linksys BEFSR41 and BEFSR11
|
||
|
firewalls under Linux and other Unix-like operating systems. It accepts
|
||
|
log messages from the Linksys, and logs the messages to
|
||
|
<TT
|
||
|
CLASS="filename"
|
||
|
>/var/log/linksys.log</TT
|
||
|
>. It handles the standard activity
|
||
|
logs, as well as the <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"secret"</SPAN
|
||
|
> extended logging, and can handle
|
||
|
logs from multiple firewalls. When using extended logging, it can detect
|
||
|
external IP address changes (if you are using either DHCP or PPPOE) and can
|
||
|
call an external program to process the change.</P
|
||
|
><P
|
||
|
>Link-n-Log is a similar tool that includes a GUI and logs to an SQL
|
||
|
database. Details at the <A
|
||
|
HREF="http://link-n-log.sourceforge.net/"
|
||
|
TARGET="_top"
|
||
|
>Link-n-Log project
|
||
|
page</A
|
||
|
>.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="ts-tips"
|
||
|
></A
|
||
|
>9. Troubleshooting tips</H1
|
||
|
><DIV
|
||
|
CLASS="sect2"
|
||
|
><H2
|
||
|
CLASS="sect2"
|
||
|
><A
|
||
|
NAME="catatonia"
|
||
|
></A
|
||
|
>9.1. Occasional catatonia and epilepsy</H2
|
||
|
><P
|
||
|
>Linksys boxes freeze up occasionally (once every few months) and
|
||
|
have to be power-cycled. Suspect this is happening if your outside
|
||
|
Web access suddenly stops working; ping the Linksys box to check.</P
|
||
|
><P
|
||
|
>These catatonic episodes may be related to dirty power; at least,
|
||
|
they seems to happen more frequently in association with electrical storms
|
||
|
and brownouts. If you think this has happened, just pull the power
|
||
|
connector out of the back and plug it back in. The Linksys should reboot
|
||
|
itself within 30 seconds or so.</P
|
||
|
><P
|
||
|
>There is a more severe failure mode that I've only seen once; it's
|
||
|
more like an epileptic seizure than catatonia, and involves strange blink
|
||
|
patterns on the Link, Collision, and 100Mbit diagnostic lights (the 100Mbit
|
||
|
light should not normally ever blink).</P
|
||
|
><P
|
||
|
>If this happens, power-cycling the Linksys won't suffice; you'll have
|
||
|
to hard-reset the thing. Some versions (like the BEFSR41) have a reset pin
|
||
|
that you poke with a paperclip end through a small hole in the front panel
|
||
|
labeled Reset. Some versions (like the BEFW11S4 and WRT54G) have a reset
|
||
|
button on the back. You have to hold these down for about thirty seconds
|
||
|
to hard-reset the nonvolatile RAM. This will lose your configuration
|
||
|
settings.</P
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect2"
|
||
|
><HR><H2
|
||
|
CLASS="sect2"
|
||
|
><A
|
||
|
NAME="mozillaquirks"
|
||
|
></A
|
||
|
>9.2. Mozilla interface quirks under 1.38 and earlier firmware</H2
|
||
|
><P
|
||
|
>Linksys blue boxes have a webserver embedded in their firmware.
|
||
|
The normal way to administer one is to point a browser at its IP
|
||
|
address on your network. You program the box by filling out HTML
|
||
|
forms.</P
|
||
|
><P
|
||
|
>This is a nice bit of design that neatly avoids having OS-specific
|
||
|
client software. But some older versions of the webserver firmware have a
|
||
|
quirk that interacts with a bug in Mozilla (at least at release 1.0.1) to
|
||
|
make the interface almost unusable. Fortunately, the recovery procedure is
|
||
|
trivial. This bug was known to be present as late as 1.40, and also
|
||
|
interfered with Netscape; it is absent in 1.44 and a good reason to
|
||
|
upgrade. We have a report that Mozilla 1.3 fails with 1.43, so whatever
|
||
|
change fixed the problem likely came in with 1.44.</P
|
||
|
><P
|
||
|
>The symptom you're likely to see is a broken-image icon at the
|
||
|
upper left hand corner of each page. The broken image is a series of
|
||
|
file-folder tabs for an image map. That image map is how you get to
|
||
|
the other web pages.</P
|
||
|
><P
|
||
|
>You can recover by right-clicking on the broken-image icon.
|
||
|
Select <SPAN
|
||
|
CLASS="QUOTE"
|
||
|
>"View Image"</SPAN
|
||
|
>, then back out. This will build the
|
||
|
image map correctly.</P
|
||
|
><P
|
||
|
>You will almost always have to do this on the first page,
|
||
|
but it often won't trigger on later page loads.</P
|
||
|
><P
|
||
|
>Here's what's going on. Mozilla tries to stream multiple
|
||
|
concurrent requests at the webservers it talks to in order to speed up
|
||
|
page loading. The dimwitted little firmware webserver in the Linksys is
|
||
|
only single-threaded and doesn't handle concurrent requests. So there's
|
||
|
a race condition. When you hit the window just right, you get an
|
||
|
aborted request and a broken graphic.</P
|
||
|
><P
|
||
|
>Most other browsers are immune to this problem. Konqueror
|
||
|
doesn't trigger it. Neither does Internet Explorer.</P
|
||
|
></DIV
|
||
|
></DIV
|
||
|
><DIV
|
||
|
CLASS="sect1"
|
||
|
><HR><H1
|
||
|
CLASS="sect1"
|
||
|
><A
|
||
|
NAME="resources"
|
||
|
></A
|
||
|
>10. Related Resources</H1
|
||
|
><P
|
||
|
>There's a large user-community website at <A
|
||
|
HREF="http://www.linksysinfo.org/"
|
||
|
TARGET="_top"
|
||
|
>LinksysInfo.org</A
|
||
|
>. It includes
|
||
|
news, support forums, and custom firmware downloads.</P
|
||
|
><P
|
||
|
>There is a Linksys tips and tricks <A
|
||
|
HREF="http://www.dslreports.com/faq/linksys"
|
||
|
TARGET="_top"
|
||
|
>FAQ</A
|
||
|
>; it's mostly
|
||
|
Windows stuff, but a few of the war stories may be useful.</P
|
||
|
></DIV
|
||
|
></DIV
|
||
|
></BODY
|
||
|
></HTML
|
||
|
>
|