For the past nine months, I’ve been using a BPI-R1 as a personal home router. It’s a small, affordable router board with a Dual-core ARMv7 processor, 1GB of Ram and Gigabit Ethernet. It and can run several flavors of Linux, however getting the initial setup going was a little tricky with the way the Ethernet switch/vlans are configured. The following is a guide to setting up a BPI-R1 using the Bananian Linux distribution. Bananian, as the name suggests, is based off Debian. I used it because it was the first distribution I could get working well. The instructions were pretty standard; using dd to write an image to an sdcard. The installation image and guide can be found on the bananian download page.

By default Bananian uses DHCP to get an IP address. At the time I didn’t have a monitor or a keyboard to plug into the HDMI/USB ports on the board, so I connected the WAN interface to my laptop where I started a DHCP server to give it an address. After that I was able to SSH into the board as the root user using pi, the default password. If you have a keyboard and HDMI monitor, the following steps can also be done from the console.

You should start by running the bananian-config script for setting your root password, timezone information and, most importantly, configuring the hardware type as BPI-R1 (the default is the standard bananian board).

For security, use either bananian-config or passwd to change the default password for the root user!

The base Bananian comes with both the nano and vi editors. The first thing we’ll want to do is configure the switch by editing /etc/network/if-pre-up.d/swconfig. Open it with the editor of your choice and take note of the line exit 0 as shown:

#!/bin/sh

#---------------------------#
# BPI-R1 VLAN configuration #
#---------------------------#
#
# This will create the following ethernet ports:
# - eth0.101 = WAN (single port)
# - eth0.102 = LAN (4 port switch)
#
# You have to adjust your /etc/network/interfaces
#
# Comment out the next line to enable the VLAN configuration:
#exit 0

ifconfig eth0 up

# The swconfig port number are:
# |2|1|0|4|  |3|
# (looking at front of ports)

swconfig dev eth0 set reset 1
swconfig dev eth0 set enable_vlan 1
swconfig dev eth0 vlan 101 set ports '3 8t'
swconfig dev eth0 vlan 102 set ports '4 0 1 2 8t'
swconfig dev eth0 set apply 1

As the default file indicates, comment out the exit line to enable switch configuration. The BPI-R1 essentially has only one Ethernet controller. The WAN and LAN ports are designated by splitting the individual ports into their own independent vlans. The actual lan ports need to be bridged together to be used as a switch, which can be done by editing /etc/network/interfaces and configuring the interfaces as follows:

auto lo
iface lo inet loopback

auto eth0.101
	iface eth0.101 inet dhcp

auto eth0.102
	iface eth0.102 inet manual

auto wlan0
	iface wlan0 inet manual

auto br0
	iface br0 inet static
	bridge_ports eth0.102 wlan0
	bridge_waitport 0
	address 10.10.1.1
	network 10.10.1.0
	netmask 255.255.255.0

In this example, I’ve setup my private LAN network to be at 10.10.1.1. You can obviously use any address range you’d like within a private address spaces (e.g 10., 172.16, 192.168.). I’ve also configured the Wi-Fi adapter to be bridged directly with the LAN ports, placing both wireless and wired devices on the same network.

For this configuration to work, we’ll need the bridge utilities. While we’re at it, we can also install the dhcp server and wireless AP tools we’ll need later using the following commands:

apt-get update
apt-get install bridge-utils isc-dhcp-server hostapd hostapd-rtl

You may get some errors about the dhcp service not being able to start because we haven’t configured it yet. It’s safe to ignore these. Next, we’ll edit /etc/dhcp/dhcpd.conf to setup our dhcp server.

ddns-update-style none;
option domain-name-servers 8.8.8.8, 8.8.4.4;

default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;

subnet 10.10.1.0 netmask 255.255.255.0 {
  range 10.10.1.10 10.10.1.100;
  option routers 10.10.1.1;
}

The above example establishes a pool of IPs for our LAN network. It also relies on Google DNS by using 8.8.8.8 and 8.8.4.4 as the nameservers. You can change this to use your ISPs nameservers or setup your own instead. The default dhcpd.conf has comments for more complex dhcp options if you require them.

Next, we’ll setup our our Wi-Fi access point by creating /etc/hostapd/hostapd.conf and configuring it with the following:

ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0

# 802.11n related stuff
ieee80211n=1
noscan=1
ht_capab=[HT40+][SHORT-GI-20][SHORT-GI-40]

#WPA2 settings
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP

# CHANGE THE PASSPHRASE
wpa_passphrase=changeme

# Most modern wireless drivers in the kernel need driver=nl80211
#driver=nl80211
driver=rtl871xdrv
max_num_sta=8
beacon_int=100
wme_enabled=1
wpa_group_rekey=86400
device_name=RTL8192CU
manufacturer=Realtek

# set proper interface
interface=wlan0
bridge=br0
hw_mode=g
# best channels are 1 6 11 14 (scan networks first to find which slot is free)
channel=6
# this is the network name
ssid=ExampleSSID

In the above configuration, be sure to adjust the wpa_passphrase and ssid for your setup. To get hostapd to use this new configuration, edit /etc/default/hostapd and uncomment the DAEMON_CONF variable.

We’re now ready to restart some services with our new configuration. Run the following commands:

/etc/init.d/networking restart
/etc/init.d/isc-dhcp-server restart
/etc/init.d/hostapd restart

At this point, devices connected to the switch ports of the BPI-R1 should be able to obtain IP addresses and Wi-Fi devices should be able to connect as well. However, they won’t be able to access the Internet.

First, edit /etc/sysctl.conf and uncomment out the following line to enable ip forwarding:

#net.ipv4.ip_forward=1

This will ensure ip forwarding will be enabled on reboots. To enable it right now, run the following:

sysctl net.ipv4.ip_forward=1

Next, we need to add some iptables rules to allow for Network Address Translation (NAT) between our LAN and WAN networks.

iptables -A INPUT -i br0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s 10.10.1.0/24 -i br0 -j ACCEPT
iptables -A FORWARD -d 10.10.1.0/24 -i eth0.101 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0.101 -j MASQUERADE
iptables -P INPUT DROP
iptables -P FORWARD DROP

In the above example, we start by accepting everything from localhost and our LAN (the physical ports and Wi-Fi bridged together). The next line is to establish a stateful firewall. See the iptables documentation for more information on connection tracking. Next we have some forwarding and masquerading rules used for our NAT so our LAN can communicate to the outside world. Finally, we add some rules to drop all other requests that we haven’t explicitly allowed.

If you want to allow SSH from the WAN port (you did remember to set a strong password, right?), you can use the following command to open up port 22 from the WAN interface:

-A INPUT -i eth0.101 -p tcp -m tcp --dport 22 -j ACCEPT

If you want to be security aware, you should modify the /etc/ssh/sshd_config to not allow root logins and create a separate user to login with. You may also want to have sshd run on a non-standard port (be sure to adjust the firewall rule above appropriately).

To make these rules persistent after reboots, run the following:

cat << EOF  > /etc/network/if-pre-up.d/iptables
#!/bin/sh
iptables-restore --counters < /etc/iptables/rules.v4
exit 0
EOF
chmod 755 /etc/network/if-pre-up.d/iptables
mkdir -p /etc/iptables
iptables-save > /etc/iptables/rules.v4

There you have it. Your BPI-R1 should now be a fully functioning IPv4 router and wireless access point. Be sure to run regular updates for security using the following commands:

bananian-update
apt-get update
apt-get upgrade

Several Months of Operation

Lately my BPI-R1 has been frequently locking up, and in some cases, rebooting into a very insecure configuration. My next post will deal with the issues I’ve faced using this device as my primary router over the past year.