wiki:Internal/Soekris

Version 20 (modified by (none), 14 years ago) ( diff )

Soekris net4801 hardware

The manual for the net4801, http://soekris.com/Manuals/net4801_manual.pdf, is inadequate.

There are no linux nor BSD drivers for the vpn1411 device we had hoped to use. See http://lists.soekris.com/pipermail/soekris-tech/2006-June/010523.html.

On the other hand, all five ethernet (NatSemi) devices are fully supported pretty much everywhere.

You will want a paperclip. You're going to be poking that reset switch a lot.

connect a console

Get a linux laptop with a serial port. Connect the Soekris serial port to it using a crossover serial cable. There are a lot of these, unused, floating around ORBIT. They have "X OVER" written on them.

Run minicom in a terminal window that can handle vt102 (any of them can). The first time you start a console, minicom should be set for 19200 baud, 8 databits, no parity, 1 stop bit, no flow control. Be sure to turn hardware and software flow control off in minicom. The UNIX device for talking to the console is almost certainly /dev/ttyS0 or /dev/ttyUSB0. Usually when linux runs its console on a serial port, it goes at 9600 baud, so set the console baud to 9600 (see below) when you have the chance.

Minicom and the Soekris console driver seem a little fragile. If you do wind up dumping junk to the serial port (as will be the case if you run pppd carelessly), you may gum it up so badly that you need to reboot.

configure the Soekris net4801 BIOS

Look at the banner from when the net4801 boots. Get the BIOS version and check it against the Soekris web site. Make sure you have the latest.

Hit C-p as it is booting to get to a BIOS prompt.

Issue these commands at the BIOS prompt, filling in today's date and the current time.

date YYYY/MM/DD
time HH:MM:SS
set ConSpeed=9600

The only reliable way to obtain the MAC address of 'Eth 0', without having an operating system already loaded, is to watch the diagnostic output of

boot f0

net install

The netboot image for debian is already around. You might need

http://centerclick.org/net4801/pxelinux/pxelinux.0.gz

as opposed to the pxelinux.bin that's already around. The pxelinux.0 that comes with the net-install.tar.gz from debian works, but does not print banners to minicom properly. You need to make a link in pxelinux.cfg to an appropriate pxelinux configuration file, namely the one for serial. To the end of the 'install' image you want to add:

DEBIAN_FRONTEND=text

(We did this, so it's probably already there.)

We tried this in several different ways with a remarkable number of pre-compiled pxelinux.0 files, but the net install could never find the CF disk. Eventually we gave up and moved to pre-loading the CF.

Voyage Linux

Voyage Linux is Debian with enough removed so it will fit in 64Mb. See http://www.voyage.hk/software/voyage.html.

There is one CF slot inside the net4801. We're not sure all CF cards work with it. The "Kingston Elite Pro" CF card is reported by the 4801 as

Pri Sla SAMSUNG CF/ATA LBA Xlt 1012-32-63

The SimpleTech CF card is

Pri Mas Hitachi XX.V.3.7.0.0 LBA 993-16-63

The Kingston has an extremely different geometry (last three numbers reported above) when connected to my laptop through an IOMEGA USB media adapter. Nor can I adjust the reported geometry in fdisk. So you can't use it to hold (some) bootable images. I have no idea why the Kingston shows up as a slave. It just seems best for now to avoid using any CF card for which fdisk and the net4801 bios report different geometries.

Get the tarball, untar it on your linux laptop as root like this:

sudo tar --numeric-owner -zxvf voyage-0.2pre4.tar.gz

You must untar as root. There are special device files in the tar. There's a README in the tar, and you should.

Attach the CF card to your linux laptop. If it gets automounted, unmount it. Cd into the untarred directory and run voyage.update as root. The CF card is likely to be /dev/sdb. On an Ubuntu box you can use /media/usbdisk as the mount point. When this finishes, move the CF card into the Soekris net4801, and boot it. At worst you will need to get to a BIOS prompt with C-p, then issue the command

boot 80

LILO may be less than perfect at displaying over the serial port. Don't worry, it will boot.

Log in to the net4801 as root. The default root password is, predictably, 'voyage'. Voyage linux tries to be cute by mounting everything read only, so you need to remount the root partition as read write, like this:

mount -o remount,rw /

In stable versions of voyage linux, you can use the commands

remountrw
remountro
}}

Now you can and should change the root password.

Change /etc/rc2.d/S99voyage so that the commands that keep remounting / ro are disabled.

Note that things like /root are normally linked to /rw/root, which is a tmpfs.  It's all very cute, but you need to disable it at least for /root.  /root needs to hold a persistent .ssh directory.

Run 

{{{
apt-get update
apt-get upgrade
}}}

as usual. Reboot.

Edit /etc/network/interfaces so that there are entries for all five interfaces.  We organize them like this:

||Eth 0||eth0||uplink||
||Eth 1||eth1||CM||
||Eth 2||eth2||DATA||
||Eth 3||eth3||CONTROL||
||Eth 4||eth4||bonus uplink||

== PPP/SSH client configuration ==

General instructions can be found at

http://tldp.org/HOWTO/ppp-ssh

Details of how the commands below work are probably most in the man pages for pppd and ssh.

The idea is:

1. Create a vpn account on the landing.

2. Allow the vpn account on the landing to run pppd as root, by configuring /etc/sudoers with lines like these
{{{
Cmnd_Alias VPN=/usr/bin/pppd
vpn: ALL=NOPASSWD: VPN 
}}}

3. Allow the vpn client to log in to the vpn account on the landing using an ssh key with no password.  You're proably looking for this command:
{{{
ssh-keygen -b 2048 -t rsa
}}}
If you just hit Enter when it asks you for a pass phrase, it will make a private key that is stored unencrypted.

4. Run a script like the following on the client.
{{{
#!/bin/bash
case "$1" in
  start)
    /usr/sbin/pppd updetach noauth passive pty "ssh vpn@${LANDING} -o Batchmode=yes sudo /usr/sbin/pppd nodetach notty noauth" ipparam vpn ${LANDING_IP}:${CLIENT_IP}
    ;;
  stop)
    killall -9 pppd
    ;;
  *)
    echo please stop or start
    exit 1
    ;;
esac
exit 0
}}}

5. Change iptables and the routing table in the Soekris net4801 so that the traffic coming in over ppp0 goes to the right interface on the ORBIT node, and so that all traffic from the ORBIT node's interfaces goes to ppp0.

6. Change iptables, the routing table, and multi-homed interfaces in the landing so that packets for the remote ORBIT nodes are routed on the rest of the ORBIT network.

7. Install and configure dhcp proxy on the host.

8. Try L2TP instead of SSH for tunneling.  We don't care about encryption, particularly.

8. Re-engineer voyage so it can be installed fifty times.

9. Think about using a bigger CF card and making the net4801 a caching proxy for tftp.

As of 9/20, we're up to 6.
Note: See TracWiki for help on using the wiki.