What about QoS/AQM?¶
Prior to the Modena build (February 2013), CeroWrt benefitted from setting QoS parameters. The defaults in Modena work pretty well, and using the procedure described on the Setting up AQM page works even better.
Does Cerowrt "phone home"?¶
A: No, it does not. Well, it does, sort of - There is an image on the onboard web pages that is maintained at bufferbloat.net. The cosmic background bufferbloat detector can (but doesn't always) connect to a ntp server in the bufferbloat pool.
CeroWrt does come with multiple tools, such as snmp, that make collecting statistics about its performance easier.
How is routing done in CeroWrt, since the interfaces are routed rather than bridged?¶
IPv4 is behind NAT by default and broken into 8 static /27 subnets to limit the horrendous impact of multicast/broadcast on wireless. Since a home router is the default gateway, no routing protocol is needed in that case. For other routers in the home, we mesh using babel.
IPv6 is autogenerated from 6to4 or 6in4, fed into radvd, and distributed from there. Help supporting 6rd and DHCPv6-PD is welcome (dibbler is available in RC6 for those who want to experiment).
Core routing protocol is babel for IPv6 and IPv4, radvd is on for older clients, and all of quagga (ospf, bgp etc) is also available.
Please let us know in #273 if 6rd is MIA.
Comcast's 6rd trial was so lame as the only way to use it (as they only delegated a /64) was ahcp + babel, which hands out and routes /128s by default.
6to4 - being /48 - was easily subnettable and thus, usable with older routing mechanisms like radvd - so we went back to that, after a few weeks with 6rd and Comcast. Comcast is not planning to go forward with 6rd but has deployed geographically dispersed production 6to4 relays which have worked well for us. Help testing 6rd on other ISP's would be a great help.
Why so many SSIDs on the wireless interfaces?¶
A: 2.4 ghz spectrum tends to be polluted by many other wireless devices. If your client (laptop, whatever) supports 5Ghz operation, you really want to use that SSID (clearly delineated by a "5" postfix) to get higher performance operation.
You can make all the SSIDs be the same if you like in the CeroWrt router configuration pages, but NANOG recommends training users "to choose the one on 5".
Why guest interfaces?¶
A: Wireless spectrum is intrinsically shared. It makes sense to share it when possible, and also keep your own network safe.
Why port 81?¶
A: The router configuration screen is served on port 81. Actually we could have used nearly any other port besides 80 or 443. We wanted to move 'configuring the router' to its own interface and allow 'using the router' to include your own web pages and interfaces.
Why 172.30.42.0/27 subnet?¶
A: Please refer to the default network numbering page.
What's this babel thing?¶
How do I disable the guest/babel interfaces?¶
A: Firewalling is a complex problem. "Guest" networks are for visitors to your LAN, they do not have access to the wired or primary wireless LAN (unless unsecured), but do have access to the Internet. You can grant access to guest networks that does not extend to your primary network.
To secure (rather than disable entirely) your guest networks, the simplest method is merely to assign WPA2 keys to the guest networks that guests won't know.
OR, you can remove the guest networks entirely. Removing the interfaces entirely (which is doable) also requires removing the firewall rules for the guest interfaces in order to work right, as well as a reboot, and recreating them will be difficult.
This is more complex than I'm used to!¶
A: This is a research project. We hope to make things simpler.
This is cool! What else can this puppy do?¶
How to close default open firewall ports?¶
A: Several ports are open, but filtered, using various means. For example, rsync and ssh are enabled but the default settings in /etc/xinetd.conf prohibit access via any but your internal private IPs.
Telnet and ftp ports (not services) are enabled, but are there to trigger sensors to disable other services in the advent of an attack from inside or outside of your firewall.
You can close ports more fully to the outside world via the GUI, editing /etc/config/firewall and/or do finer grained access control via /etc/xinetd.conf and /etc/xinetd.d/
The web port (80) defaults to open, the web configuration port (81) does not. The intent here is to enable you to put up your own local web pages.