From 3bbd6c9a62f3bc845cf9d6b07634effd104dd342 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 15 Dec 2023 17:46:59 +0200
Subject: [PATCH] WAP: Update the config for OpenWRT 23.05.
This is a dump of the config from a new router (Linksys MR8300) running
a new version of OpenWRT (23.05).
---
Ansible/roles/wap/README.md | 2 +-
Ansible/roles/wap/templates/uci.conf.j2 | 267 ++++++++----------------
2 files changed, 86 insertions(+), 183 deletions(-)
diff --git a/Ansible/roles/wap/README.md b/Ansible/roles/wap/README.md
index 23e99ed..9f62ee7 100644
--- a/Ansible/roles/wap/README.md
+++ b/Ansible/roles/wap/README.md
@@ -1,3 +1,3 @@
# Wirelss Access Point
-Configure a wireless access point running OpenWRT 19.07.
+Configure a Linksys MR8300 running OpenWRT 23.05 as a wireless access point.
diff --git a/Ansible/roles/wap/templates/uci.conf.j2 b/Ansible/roles/wap/templates/uci.conf.j2
index 0d47d5d..87fbef1 100644
--- a/Ansible/roles/wap/templates/uci.conf.j2
+++ b/Ansible/roles/wap/templates/uci.conf.j2
@@ -11,24 +11,27 @@ config dnsmasq
option domain 'lan'
option expandhosts '1'
option nonegcache '0'
+ option cachesize '1000'
option authoritative '1'
option readethers '1'
option leasefile '/tmp/dhcp.leases'
- option resolvfile '/tmp/resolv.conf.auto'
+ option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
option nonwildcard '1'
option localservice '1'
+ option ednspacket_max '1232'
+ option filter_aaaa '0'
+ option filter_a '0'
config dhcp 'lan'
option interface 'lan'
option start '100'
option limit '150'
option leasetime '12h'
+ option dhcpv4 'server'
option dhcpv6 'server'
option ra 'server'
- option ra_management '1'
-
-config dhcp 'wan'
- option interface 'wan'
+ list ra_flags 'managed-config'
+ list ra_flags 'other-config'
option ignore '1'
config odhcpd 'odhcpd'
@@ -40,162 +43,33 @@ config odhcpd 'odhcpd'
package dropbear
config dropbear
- option Port '22'
- option RootPasswordAuth 'off'
option PasswordAuth 'off'
+ option RootPasswordAuth 'off'
+ option Port '22'
package firewall
config defaults
- option syn_flood '1'
- option output 'ACCEPT'
- option forward 'REJECT'
option input 'REJECT'
-
-config zone
- option name 'lan'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'ACCEPT'
- option network 'lan'
-
-config include
- option path '/etc/firewall.user'
-
-config rule
- option dest_port '22'
- option src '*'
- option name 'ssh'
- option target 'ACCEPT'
- list proto 'tcp'
-
-package firewall-opkg
-
-config defaults
- option syn_flood '1'
- option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
+ option synflood_protect '1'
config zone
option name 'lan'
- list network 'lan'
- option input 'ACCEPT'
- option output 'ACCEPT'
- option forward 'ACCEPT'
-
-config zone
- option name 'wan'
- list network 'wan'
- list network 'wan6'
option input 'REJECT'
option output 'ACCEPT'
option forward 'REJECT'
- option masq '1'
- option mtu_fix '1'
-
-config forwarding
- option src 'lan'
- option dest 'wan'
-
-config rule
- option name 'Allow-DHCP-Renew'
- option src 'wan'
- option proto 'udp'
- option dest_port '68'
- option target 'ACCEPT'
- option family 'ipv4'
-
-config rule
- option name 'Allow-Ping'
- option src 'wan'
- option proto 'icmp'
- option icmp_type 'echo-request'
- option family 'ipv4'
- option target 'ACCEPT'
-
-config rule
- option name 'Allow-IGMP'
- option src 'wan'
- option proto 'igmp'
- option family 'ipv4'
- option target 'ACCEPT'
-
-config rule
- option name 'Allow-DHCPv6'
- option src 'wan'
- option proto 'udp'
- option src_ip 'fc00::/6'
- option dest_ip 'fc00::/6'
- option dest_port '546'
- option family 'ipv6'
- option target 'ACCEPT'
-
-config rule
- option name 'Allow-MLD'
- option src 'wan'
- option proto 'icmp'
- option src_ip 'fe80::/10'
- list icmp_type '130/0'
- list icmp_type '131/0'
- list icmp_type '132/0'
- list icmp_type '143/0'
- option family 'ipv6'
- option target 'ACCEPT'
-
-config rule
- option name 'Allow-ICMPv6-Input'
- option src 'wan'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- list icmp_type 'router-solicitation'
- list icmp_type 'neighbour-solicitation'
- list icmp_type 'router-advertisement'
- list icmp_type 'neighbour-advertisement'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
-
-config rule
- option name 'Allow-ICMPv6-Forward'
- option src 'wan'
- option dest '*'
- option proto 'icmp'
- list icmp_type 'echo-request'
- list icmp_type 'echo-reply'
- list icmp_type 'destination-unreachable'
- list icmp_type 'packet-too-big'
- list icmp_type 'time-exceeded'
- list icmp_type 'bad-header'
- list icmp_type 'unknown-header-type'
- option limit '1000/sec'
- option family 'ipv6'
- option target 'ACCEPT'
-
-config rule
- option name 'Allow-IPSec-ESP'
- option src 'wan'
- option dest 'lan'
- option proto 'esp'
- option target 'ACCEPT'
+ list network 'lan'
config rule
- option name 'Allow-ISAKMP'
- option src 'wan'
- option dest 'lan'
- option dest_port '500'
- option proto 'udp'
+ option name 'ssh'
+ list proto 'tcp'
+ option src '*'
+ list dest_ip '192.168.3.13'
+ option dest_port '22'
option target 'ACCEPT'
-config include
- option path '/etc/firewall.user'
-
package luci
config core 'main'
@@ -223,6 +97,9 @@ config internal 'ccache'
option enable '1'
config internal 'themes'
+ option Bootstrap '/luci-static/bootstrap'
+ option BootstrapDark '/luci-static/bootstrap-dark'
+ option BootstrapLight '/luci-static/bootstrap-light'
config internal 'apply'
option rollback '90'
@@ -238,43 +115,52 @@ config internal 'diag'
package network
config interface 'loopback'
- option ifname 'lo'
+ option device 'lo'
option proto 'static'
option ipaddr '127.0.0.1'
option netmask '255.0.0.0'
config globals 'globals'
- option ula_prefix 'fd3a:a5ff:4867::/48'
+ option ula_prefix 'fdc9:d14b:495c::/48'
-config interface 'lan'
+config device
+ option name 'br-lan'
option type 'bridge'
- option ifname 'eth0'
- option proto 'dhcp'
+ list ports 'lan1'
+ list ports 'lan2'
+ list ports 'lan3'
+ list ports 'lan4'
+ list ports 'wan'
+ option macaddr 'C4:41:1E:AA:03:4A'
-config device 'lan_eth0_dev'
- option name 'eth0'
- option macaddr '60:38:e0:ae:19:4a'
+config device
+ option name 'lan1'
+ option macaddr 'C4:41:1E:AA:03:4A'
-config device 'wan_eth1_dev'
- option name 'eth1'
- option macaddr '60:38:e0:ae:19:49'
+config device
+ option name 'lan2'
+ option macaddr 'C4:41:1E:AA:03:4A'
-config switch
- option name 'switch0'
- option reset '1'
+config device
+ option name 'lan3'
+ option macaddr 'C4:41:1E:AA:03:4A'
-config switch_vlan
- option device 'switch0'
- option vlan '1'
- option ports '0 1 2 3 4'
- option vid '1'
+config device
+ option name 'lan4'
+ option macaddr 'C4:41:1E:AA:03:4A'
-package nut_server
+config interface 'lan'
+ option device 'br-lan'
+ option proto 'dhcp'
+
+config device
+ option name 'wan'
+ option macaddr 'C4:41:1E:AA:03:4A'
package rpcd
config rpcd
- option socket '/var/run/ubus.sock'
+ option socket '/var/run/ubus/ubus.sock'
option timeout '30'
config login
@@ -286,11 +172,12 @@ config login
package system
config system
+ option hostname 'mr8300.shore.co.il'
option ttylogin '0'
option log_size '64'
option urandom_seed '0'
+ option compat_version '2.0'
option zonename 'UTC'
- option hostname 'ea6350.shore.co.il'
option log_proto 'udp'
option conloglevel '8'
option cronloglevel '5'
@@ -306,7 +193,7 @@ package ubootenv
config ubootenv
option dev '/dev/mtd7'
option offset '0x0'
- option envsize '0x20000'
+ option envsize '0x40000'
option secsize '0x20000'
package ucitrack
@@ -314,7 +201,6 @@ package ucitrack
config network
option init 'network'
list affects 'dhcp'
- list affects 'radvd'
config wireless
list affects 'network'
@@ -375,7 +261,7 @@ config uhttpd 'main'
list listen_http '[::]:80'
list listen_https '0.0.0.0:443'
list listen_https '[::]:443'
- option redirect_https '1'
+ option redirect_https '0'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
@@ -388,10 +274,11 @@ config uhttpd 'main'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
+ option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
- option key_type 'rsa'
+ option key_type 'ec'
option bits '2048'
option ec_curve 'P-256'
option country 'ZZ'
@@ -403,32 +290,48 @@ package wireless
config wifi-device 'radio0'
option type 'mac80211'
- option hwmode '11g'
- option path 'platform/soc/a000000.wifi'
- option country 'IL'
- option htmode 'HT40'
- option channel '6'
+ option path 'soc/40000000.pci/pci0000:00/0000:00:00.0/0000:01:00.0'
+ option channel 'auto'
+ option band '5g'
+ option htmode 'VHT80'
+ option cell_density '0'
config wifi-iface 'default_radio0'
option device 'radio0'
option network 'lan'
option mode 'ap'
+ option ssid 'Shore Inc. (5ghz)'
+ option encryption 'sae-mixed'
option key '{{ wifi_password }}'
- option encryption 'psk2'
- option ssid 'Shore Inc. (2.4ghz)'
config wifi-device 'radio1'
option type 'mac80211'
- option channel '36'
- option hwmode '11a'
- option path 'platform/soc/a800000.wifi'
- option htmode 'VHT80'
- option country 'IL'
+ option path 'platform/soc/a000000.wifi'
+ option channel '11'
+ option band '2g'
+ option htmode 'HT20'
+ option cell_density '0'
config wifi-iface 'default_radio1'
option device 'radio1'
option network 'lan'
option mode 'ap'
+ option ssid 'Shore Inc. (2.4ghz)'
+ option encryption 'sae-mixed'
option key '{{ wifi_password }}'
- option encryption 'psk2'
+
+config wifi-device 'radio2'
+ option type 'mac80211'
+ option path 'platform/soc/a800000.wifi'
+ option channel '60'
+ option band '5g'
+ option htmode 'VHT80'
+ option cell_density '0'
+
+config wifi-iface 'default_radio2'
+ option device 'radio2'
+ option network 'lan'
+ option mode 'ap'
option ssid 'Shore Inc. (5ghz)'
+ option encryption 'sae-mixed'
+ option key '{{ wifi_password }}'
--
GitLab