wiki:Internal/Soekris

Version 16 (modified by Joseph F. Miklojcik III, 14 years ago) ( diff )

Soekris net4801 hardware

http://soekris.com/Manuals/net4801_manual.pdf

There are no linux nor BSD drivers for the vpn1411 device we had hoped to use.

http://lists.soekris.com/pipermail/soekris-tech/2006-June/010523.html

On the other hand, all five ethernet (NatSemi) devices are fully supported pretty much everywhere.

You will want a paperclip. You're going to be poking that reset switch a lot.

connect a console

Get a linux laptop with a serial port. Connect the Soekris serial port to it using a crossover serial cable. There are a lot of these, unused, floating around ORBIT. They have "X OVER" written on them.

Run minicom in a terminal window that can handle vt102 (any of them can). Minicom should be set for 9600 baud, 8 databits, no parity, 1 stop bit, no flow control. Turn hardware flow control off in minicom. The UNIX device for talking to the console is almost certainly /dev/ttyS0.

Minicom and the Soekris console driver seem a little fragile. If you do wind up dumping junk to the serial port (as will be the case if you run pppd carelessly), you may gum it up so badly that you need to reboot.

configure the Soekris net4801 BIOS

Look at the banner from when the net4801 boots. Get the BIOS version and check it against the Soekris web site. Make sure you have the latest.

Hit C-p as it is booting to get to a BIOS prompt.

Issue these commands at the BIOS prompt, filling in today's date and the current time.

date YYYY/MM/DD
time HH:MM:SS
set ConSpeed=9600

The only reliable way to obtain the MAC address of 'Eth 0', without having an operating system already loaded, is to watch the diagnostic output of

boot f0

net install

The netboot image for debian is already around. You might need

http://centerclick.org/net4801/pxelinux/pxelinux.0.gz

as opposed to the pxelinux.bin that's already around. The pxelinux.0 that comes with the net-install.tar.gz from debian works, but does not print banners to minicom properly. You need to make a link in pxelinux.cfg to an appropriate pxelinux configuration file, namely the one for serial. To the end of the 'install' image you want to add:

DEBIAN_FRONTEND=text

(we did this, so it's probably already there.)

We tried this in several different ways with a remarkable number of pre-compiled pxelinux.0 files, but the net install could never find the CF disk. Eventually we gave up and moved to pre-loading the CF.

Voyage Linux

Voyage Linux is Debian with enough removed so it will fit in 64Mb.

http://www.voyage.hk/software/voyage.html

The "Kingston Elite Pro" CF card is reported by the 4801 as

Pri Sla SAMSUNG CF/ATA LBA Xlt 1012-32-63

The SimpleTech CF card is

Pri Mas Hitachi XX.V.3.7.0.0 LBA 993-16-63

The Kingston has an extremely different geometry when connected to my laptop through an IOMEGA USB media adapter. Nor can I adjust the reported geometry in fdisk. So you can't use it to hold bootable images. I have no idea why the Kingston shows up as a slave.

Get the tarball, untar it on your linux laptop as root like this:

sudo tar --numeric-owner -zxvf voyage-0.2pre4.tar.gz

There's a README in that tarball, and you should.

Attach the CF card to your linux laptop. If it gets automounted, unmount it. Cd into the untarred directory and run voyage.update as root. The CF card is likely to be /dev/sdb. On an Ubuntu box you can use /media/usbdisk as the mount point. When this finishes, move the CF card into the Soekris net4801, and reboot it.

LILO may be less than perfect at displaying over the serial port. Don't worry, it will boot.

Log in to the net4801 as root. The default root password is, predictably, 'voyage'. Voyage linux tries to be cute by mounting everything read only, so you need to remount the root partition as read write, like this:

mount -o remount,rw /

Now you can and should change the root password.

Change /etc/rc2.d/S99voyage so that the commands that keep remounting / ro are disabled.

You may also want to remove the rc link for rc2.d/S89watchdog, or set run_watchdog to 0 in init.d/watchdog.

Note that things like /root are normally linked to /rw/root, which is a tmpfs. It's all very cute, but you need to disable it at least for /root. /root needs to hold a persistent .ssh directory.

Run

apt-get update
apt-get upgrade

as usual. Reboot.

Edit /etc/network/interfaces so that there are entries for all five interfaces. We organize them like this:

Eth 0eth0uplink
Eth 1eth1CM
Eth 2eth2DATA
Eth 3eth3CONTROL
Eth 4eth4bonus uplink

PPP/SSH client configuration

General instructions can be found at

http://tldp.org/HOWTO/ppp-ssh

Details of how the commands below work are probably most in the man pages for pppd and ssh.

The idea is:

  1. Create a vpn account on the landing.
  1. Allow the vpn account on the landing to run pppd as root, by configuring /etc/sudoers with lines like these
    Cmnd_Alias VPN=/usr/bin/pppd
    vpn: ALL=NOPASSWD: VPN 
    
  1. Allow the vpn client to log in to the vpn account on the landing using an ssh key with no password. You're proably looking for this command:
    ssh-keygen -b 2048 -t rsa
    

If you just hit Enter when it asks you for a pass phrase, it will make a private key that is stored unencrypted.

  1. Run a script like the following on the client.
    #!/bin/bash
    case "$1" in
      start)
        /usr/sbin/pppd updetach noauth passive pty "ssh vpn@${LANDING} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam vpn ${LANDING_IP}:${CLIENT_IP}
        ;;
      stop)
        killall -9 pppd
        ;;
      *)
        echo please stop or start
        exit 1
        ;;
    esac
    exit 0
    
  1. Change iptables and the routing table in the Soekris net4801 so that the traffic coming in over ppp0 goes to the right interface on the ORBIT node, and so that all traffic from the ORBIT node's interfaces goes to ppp0.
  1. Change iptables, the routing table, and multi-homed interfaces in the landing so that packets for the remote ORBIT nodes are routed on the rest of the ORBIT network.
  1. Re-engineer voyage so it can be installed fifty times.
  1. Think about using a bigger CF card and making the net4801 a caching proxy for tftp.

As of 9/20, we're up to 5.

Note: See TracWiki for help on using the wiki.