Documentation for the sudo mesh firmware.
NOTE: Some of the stuff below the ToDo section is probably out of date (as of May 31st 2015)
Issues for later versions:
- Basic admin web UI for node database that let's you log in and list current nodes.
- fake captive portal working
- service browser working
- hardware watchdog working on ar71xx
- support for manually configured non-openwrt extender nodes
- Allow user to switch ethernet ports into "extender node (manual)" mode
- Only one network (either adhoc or open) can be extended using this mode. The user must be able to select which.
- Set up port forwarding from home node to each manually configured extender node for web UI access, e.g. 1443 to 443 on extender node 1, etc.
- This can be always-on for e.g. up to 16 ports without causing problems since it is only for traffic destined for the home node IP.
- There should be links to the extender node web UIs from the home node web UI.
- Apply for internet-routable IPv6 subnet and give each node their own subnet + hand out IPv6 addresses to clients
- extender node firmware working on old atheros chipset
- Remote firmware updates working
- Use either DNS-SD to list and pick an update server at random or IPv6 multi-homing?
- Remote automated root password reset (via h.sudomesh.org)
- IPv6 support for extender nodes
- Figure out how to legally use lower 5 ghz frequencies and ensure fancy back-off features are working
- Run OpenVPN on exit node.
In the future:
- Support TDMA on Linux (Adri is working on FreeBSD support, maybe we can port).
Firmware generation features
It should be easy to generate a new firmware with the following custom config:
- Location and ownership information.
- Contact info should be saved in a secure database but maybe not on the node itself?
- Randomly generated passwords set for wpa2, admin interface and ssh.
- The SSH password should be stored securely and a couple of stickers with the wpa2 and admin password should be printed for the user.
- Web interface
- ssh key generation
Freifunk Meshkit is pretty neat!
We'll be dividing the image generation and node configuration aspects into two parts.
Sudomesh Firmware Image Builder Github Repo has our image builder and
Sudomesh Node Configurator Makenode Github Repo is our node configurator.
Sudomesh OpenWrt Packages has all of the sudomesh openwrt packages that we're using/we've written.
We flash nodes with the sudomesh image and then we use the makenode to set them up with networking configs, ssh keys, etc. We also use makenode in conjuction with meshnode-db to write pertinent info to a database.
Status: Pretty much finished! We're testing the last few issues!
Stuff the firmware should have
Ranked from most to least important
When the node doesn't have internet access, it will redirect traffic to our mesh hosted Splash Page.
We need something hosted on the node that can check if it has access to the internet. There's a bit of an issue where certain OSes won't connect to APs that don't have internet access. Juul will look into building a hack that properly manages these requests and redirects them to our node-hosted site.
InternetIsDownRedirect may also have to fake the expected captive portal detection responses? We need to figure out if android/iOS/Mac/Windows will connect to a wifi that does not have internet access.
Status: Implemented except for OS-specific captive portal requests.
Splash page (Garden Gnome)
We can capture OS specific probes in order to specifically redirect captive portal requests without affecting any other network traffic.
Chris (snake_wrangler) is working on it and calling it the Garden Gnome. Ideally, we could just package this for debian - I think it's actually something a lot of projects would be excited about...
- Brief info on the mesh
- Link to our website?
maxb has implemented a MVP of this. Chris (snake_wrangler) is working on polishing, etc. it.
The SSH server should be contactable from any interface. It should initially allow root access using a random generated password that the mesh group has and that the node owner can get and change if they are so inclined.
Status: Implemented. Mostly openwrt stock but we've added keygen features for the node-configurator
Extender node firmware
We want to have a fairly simple extender node firmware that we can just flash to any openwrt compatible device and have it be able to be plugged into our routerboard and be a sudomesh radio which will be bridged. That way, the only routing that needs to take place will be on the routerboards.
We've developed notdhcp, which will allow a routerboard and extender node to negotiate a connection/configurations.
One thing is that we'll likely want to target a variety of hardware (if not chipsets), without having to run any sort of makenode after the firmware has been flashed.
A good example of how this could be done is by creating a /file/etc/uci-defaults script which will run first boot and can set configs depending on the "board" type: uci-defaults script gist
BATMAN-adv was the protocol that we had assumed we'd be able to use. Unfortunately, it looks as though it won't support tunneling over the internet, which is one of the primary features we had been hoping to implement. See our mailing list convo.
We're now using babel. It's been looking pretty good for our particular applications. There are some security/trust issues that we'd like to investigate further - see http://lists.alioth.debian.org/pipermail/babel-users/2015-April/001973.html for some ideas that babel might incorporate in the future.
Status: Ready, but can be improved
Multiple virtual network interfaces with their own SSIDs
- One ad-hock mode, unencrypted interface for the mesh nodes, e.g. sudomesh-backchannel
- One access point mode, unencrypted interface, for non-mesh devices to connect to the mesh, e.g. sudomesh.
- One access point mode, private interface with WPA2, for the people who own the nodes. [optional]
Traffic on the private interface should be completely separated from traffic on the non-private interfaces unless a client connected to the private interface requests an IP on the mesh.
Maybe the last one is optional because some people may not need that feature (they already have another access point and they want to keep it), but then how do people administrate the router?
In order to serve a secure web admin config to home users, we'll probably always serve 3 APs with one private WPA encrypted home link so that users can access their admin page.
Web admin interface
Development information should be put in Web Admin Dev. This section can remain a wish-list.
A very simple one-page interface. It should do at least the following:
- Display some set of user statistics
- Ideally we could list/graph the number of people who have associated with your mesh node.
- We could also just list/graph the up/down data of people who have been using the mesh.
- LightSquid (used by pfSense)
- Set location, name, description.
- But do you want to know the location centrally as well so that you can display nodes on the map? Will people enter this information twice or will you pull this information from nodes and then display on the map? Same for name and description. I would suggest that information is stored only once. In your case on the node itself. So probably you can then pull this information through nodewatcher scripts on nodes and then display nodes the map. Just really should not require people to enter or maintain information on two places because it desyncs very fast. Mitar (talk) 22:20, 24 July 2013 (PDT)
- Let people select how much bandwidth they share.
- They always share 100% when they're not using the connection themselves.
- This works if people are using their private SSIDs on the node. But if the node is connected to their existing home network you might not easily configure such sharing. But maybe there is a way to detect that host network is free and can limits can be increased. Mitar (talk) 22:20, 24 July 2013 (PDT)
- Do any ISPs have bandwidth caps around here? If so, let people specify how many MB to share per month.
- Maybe also a button for temporary increase limits (make them more restrictive) which are then after some time automatically restored.
- Let people change the admin password and the private wifi wpa2 password.
- Probably private SSID as well.
- Donate / "buy routers as presents for your friends"-button.
- One idea we had (but this is probably better for splash screen) is "adopt a node". Where a neighbor who uses a node a lot and depends on the node can donate some money to keep it up, but can then give a nickname or avatar to the node. Or something. Mitar (talk) 22:20, 24 July 2013 (PDT)
Status: Maxb implemented a luci-based ui. We decided we hate luci, so we're going to use the ubus uhttpd rpc protocol with a jsonrpc front-end. It's a bit copy-pasta'd from the openwireless router.
Once we deploy nodes, we'll want a way to update them as appropriate. The already built node configurator operates along similar lines, but we'd need to do some tweaking in order to make it work on the mesh. Also, we'd want to give the users the options to turn remote updates off. A somewhat decentralized system would be nice as well.
Node tests itself to see if it has connectivity, etc and resets itself if necessary. OpenWrt supports the hardware watchdog on our PicoStations without any additional hacking, yay!
By default the hardware watchdog will automatically hard-reset the AP if /dev/watchdog is not written to at least once every 60 seconds. A Lua library has been written to interface with the batman-adv kernel module through the batctl command line utility. We need to identify a list of conditions that require a hard-reset and work them into the Lua watchdog script in the openwrt-firmware repository.
The Freifunk group has an awesome watchdog setup, details: http://wiki.freifunk.net/Kamikaze/LuCI/Watchdog
list of possible reset conditions: high sustained load, cron goes down, sshd goes down.
Potential use of Quilt to update nodes.
Quality of Service (QoS)
We want those who own a node to decide how much internet they share with the network. This software allows users to shape their bandwidth based on type. There's an paper regarding layer 7 traffic shaping too.
Our supported hardware needs a very lightweight software, which is why we've been using tc (traffic control). It only allows the users to determine how much internet they share with the network.
These have firewall and network management tools included with the distribution.
- pfSense - a widely used firewall distribution, but there are most definitely difficulties with it.
- Zentyal - a firewall distribution with easy to use graphical interface.
- m0n0wall - a lightweight firewall distribution meant for embedded systems.
These are tools often used in network management distributions.
- netfilter/iptables - a set of hooks inside the Linux kernel that allows kernel modules to register callback functions with the network stack.
- iproute2 - a collection of utilities for controlling TCP / IP networking and traffic control.
- l7-filter (p2p filtering) - identifies packets based on application layer data. It classifies packets to be used with a bandwidth shaper.
- ipp2p (p2p filtering) - identifies peer-to-peer (P2P) data in IP traffic.
- Suricata - a high performance network intrusion detection system (IDS), intrusion prevention system (IPS), and network security monitoring engine.
- ipfirewall (ipfw) - a freeBSD firewall that uses netdummy.
- netdummy - a freeBSD traffic shaper and bandwidth manager.
- ipfw-classifyd - an application layer classifier for ipfw firewall for freeBSD.
Virtual Private Network (VPN)
The firmware should tunnel all internet traffic from the mesh through a VPN server, unless this feature is specifically disabled. This should not be a single server, as that would be a single point of failure.
- TunnelDigger - a lightweight tunneling client/server.
- OpenMesher - another option, but not ideal because of memory constraints on embedded systems.
Here is our Network Topology.
If the mesh does not see any other nodes (and maybe even if it does?), and it has internet, then it should connect to another node or two over VPN. The easy solution is to use the same VPN servers as for the internet.
Location and status reporting
Something that reports location and status when polled. I think we can probably get away with using snmp v1.
Nice to have:
- Status info: How many nodes is your node connected to. Is the internet link working.
- An "I don't know what my internet bandwidth is, test it for me"-function.
- Usage statistics (so people can see how many people they helped get internet!)
- This is the most important thing! Mitar (talk) 22:20, 24 July 2013 (PDT)
- You should add as well graphs on how much bandwidth was consumed by the node. This is useful when hosts see that their Internet is slow and believe that it was because of the node. Then they can check and see if it is really node (which often is not) or maybe just ISP has problems. Important because people like to attribute issues they have to nodes they don't understand. Mitar (talk) 22:20, 24 July 2013 (PDT)
- Let people put up a bit of info about their node / house / co-op, on a simple web page that people can access only if they're connected to that node. It could be shown as part of the splash page.
Status: Waiting for nodewatcher project to finish
Intelligent Wifi Channel Switching
It would be nice to be able to have the network intelligently determine channels
Stuff the firmware could have
Each node could run its own (caching) DNS server.
For now, if you're logged into the private network on a node, going to http://my.node will take you to the web admin interface
Implemented web admin URL, but no caching DNS server yet.
RSSI Testing and Logging
At intervals, the nodes could conduct RSSI tests and log them with some way to compare and visualize signal strengths over time.
Caching web proxy
We could use Polipo to improve people's browsing experience. Not sure how much cpu and memory this would need. We may not be able to run it on the routers with less than 32 MB ram (e.g. the Bullet 2 HPs).
Maxb has installed polio as a transparent caching proxy on a picostation 2HP. It improved web browsing significantly! However, it sorta breaks "net neutrality". Also - it'll be irrelevant for https and it might break some things (webdav?).
I wonder if you could (as an end user?) enable/disable this kinda proxying? On splash page? We would need MAC, but it would only get logged on the mesh node itself (not network wide....)
Block ads and tracking
We could use e.g. Polipo with the sources from both adblock plus and ghostery. If we implement this, it should be an optional (default off) feature that you can select on the splash page, with a "remember this" that remembers either using a cookie or using your MAC (but then we'd be logging people's MAC addresses :-S). The block should probably be time-limited (e.g. 30 days).
Now that we're running more powerful devices, I wonder if we could actually run this kind of blocking on the actual mesh nodes. That way we could do a "remember this" MAC and only store it on the mesh node itself (NOT network-wide).
We're going to target ar71xx devices with decent storage + processing speed + memory for "router board" nodes.
Right now we're using for "router board" nodes: WD MyNet N750 and/or TP-Link TL-WDR4300 The MyNets are no longer in production, but the TL-WDR4300 are the exact same board, just with external antennas.
Then we can use "extender nodes" which can basically just do wifi and bridging. This would be basically any router which supports openwrt. We'll probably begin by targeting a variety of ubiquiti long-distance high power radios (Nanostation M line, Bullet M line, Picostation M line, Nanobridge/beam/etc).
Really the extender nodes are just doing dumb bridging. The only reason we want them to run openwrt is so that they can do some fancier address assignment with notdhcp and have some nice UI features. We could actually setup something like 2 ends of an airfiber and just configure them the way we want (wouldn't need the dynamic features of notdhcp).