ControlAP Troubleshooting - Embedded (AP)

Resetting OpenWRT

If you are having trouble with OpenWRT in your Linksys WRT54GL (or equivalent) or you have locked yourself out due to misconfiguration, incorrect firewall settings or you simply forgot the ssh password, you can enter OpenWRT's fail safe mode by doing the following:

- Unplug and plug in power, wait for the DMZ led to light up, then press reset button (momentarily)
you should then see the DMZ  blinking three times followed by a pause repeatedly.

- Connect to one of the LAN ports using 192.168.1.x

- Telnet into 192.168.1.1 (telnet is re-enabled with fail safe mode) to enter OpenWRT's command line (use a telnet client or "telnet" from the command line of your computer as follows: "telnet 192.168.1.1"

Most of the time you'll be able to recover this way - or by using ControlAP Loader to reload the firmware (you may still have to do the next step below).

Cannot upload or write files into OpenWRT:

The following output is what you'll see after a fail safe mode reset on a Linksys WRT54GL (see above on how to reset) -or- sometimes after uploading the OpenWRT firmware (first or subsequent times) and it for some reason didn't reboot properly (first bootup takes some time so you may have inadvertently aborted a complete first time boot after uploading the firmware or your AP may have not reset properly).  

In anycase, the sympton is that the partition is set to read only and not to read/write.  To correct this, simply issue the command "firstboot" from the command line. Note that this is still done using telnet (if you set a password you will disable telnet and will then need to use a ssh client such as "putty".

So don't do this just yet until after you are up and running or if you need to allow remote access for trouibleshooting.  The ControlAP Loader requires telnet to upload ControlAP but you can also upload files manually with ssh by using a scp client such as WinSCP.

 === IMPORTANT ============================
  Use 'passwd' to set your login password
  this will disable telnet and enable SSH
 ------------------------------------------


BusyBox v1.00 (2006.03.27-00:00+0000) Built-in shell (ash)
Enter 'help' for a list of built-in commands.

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 WHITE RUSSIAN (RC5) -------------------------------
  * 2 oz Vodka   Mix the Vodka and Kahlua together
  * 1 oz Kahlua  over ice, then float the cream or
  * 1/2oz cream  milk on the top.
 ---------------------------------------------------
root@(none):/# df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 1024      1024         0 100% /
none                      7172         0      7172   0% /tmp
root@(none):/# firstboot
Unlocking OpenWrt ...
Erasing OpenWrt ...
creating directories... done
setting up symlinks... done
root@(none):/# df
Filesystem           1k-blocks      Used Available Use% Mounted on
/dev/root                 1024      1024         0 100% /rom
none                      7172         0      7172   0% /tmp
/dev/mtdblock/4           2240       368      1872  16% /

Note: the "df" command shows the partitions and available disk space - note the difference between having a read-only and read/write partition (before and after running "firstboot").

Editing OpenWrt's firewall (e.g. to allow remote ssh access via WAN)

The firewall is the text file:  /etc/firewall.user

To list the files in the /etc folder type the following on the command line:
ls -la /etc

Notice that the listing will show the following:
-rwxr-xr-x    1 root     root         1190 Jan  1 00:04 firewall.user -> /rom/etc/firewall.user

Before we can edit this file we need to make it writable (by default it's a link to a readonly version of the file) with the following commands:
rm /etc/firewall.user
cp /rom/etc/firewall.user /etc

Now edit using the "vi" editor as follows:  vi /etc/firewall.user  
Use arrow keys to navigate, if you lose screen control, press escape key followed by ":q!" to exit without saving. (to avoid losing control,  navigate slowly).   Use "x" to delete characters, and "i" to enter insert mode (escape key will exit insertion mode).  To exit use ":q!" to quit without saving or use ":wq" to save and quit (if in insert mode you'll have to use escape key first).

You'll want to remove the comment characters ("#") at the beginning of the lines containing the iptables command in the following section of the firewall.user file:

### Open port to WAN
## -- This allows port 22 to be answered by (dropbear on) the router
# iptables -t nat -A prerouting_rule -i $WAN -p tcp --dport 22 -j ACCEPT
# iptables        -A input_rule      -i $WAN -p tcp --dport 22 -j ACCEPT

Note: "dropbear" is simply the name of the ssh server in OpenWRT.

If you are using an external router that connects to the Internet you will have to change that router's port forwarding rules to redirect port 22 to the WAN ip address of your OpenWRT AP. Also if your clients are getting DHCP traffic  from an external router rather than your AP, you can block DHCP traffic by adding the following rule anywhere to your firewall.user file.

iptables -A INPUT -p udp -i $WAN -d 255.255.255.255 --destination-port 67:68 -j DROP

Note: you'll have to reboot to restart the firewall.




©2002-2006 mediatracker.com software.