HOWTOs

Note: examples on this page may be outdated, we now describe new features in WiBSD handbook only. Please look there for actual and complete information.

Below you can find some usefull HOWTOs. In case you cannot find HOWTO what are you looking for or you have any problem with some HOWTO please contact us via WiBSD mailing list.


HOWTO Change configuration

WiBSD configuration is in one single file which is located at /etc/rc.conf so if you want to make your configuration you have to change only this file. It's easy configuration, easy backup and easy recover after any failure or upgrade.

/etc/rc.conf is physically placed in compact flash which is usually in read/only mode. You have to use command rwremount to change compact flash to read/write mode. The command roremount changes compact flash back to read/only mode.

In more details the configuration is merged from three config files. These files are:

    /etc/defaults/rc.conf
    /etc/defaults/wibsd.conf
    /etc/rc.conf
    

You can find default settings of WiBSD (with helpfull comments) in files /etc/defaults/rc.conf, /etc/defaults/wibsd.conf and by changing /etc/rc.conf rewrite some variables to your values and make your particular configuration.

HOWTO Manage user accounts

Configure in /etc/rc.conf something like:

    make_accounts_users="wibsd root toor"
    make_accounts_user_wibsd_password_hash='$1$onw74atP$xqaOmtLIjAxN4SYG4Ntkh1'
    make_accounts_user_root_password_hash='$1$j/kvXYrq$J7huLPiw6/tM/BZPLDvH90'
    make_accounts_user_toor_password_hash='$1$j/kvXYrq$J7huLPiw6/tM/BZPLDvH90'
    make_accounts_user_toor_shell="/usr/local/bin/bash"
    
See more details in file /etc/defaults/wibsd.conf

HOWTO Setting up a router with NAT

Install WiBSD and configure rc.conf like:

    hostname="YOUR_HOSTNAME"
    
    ifconfig_sis0="inet a.b.c.d/MASK" #WAN interface with IP and mask from your ISP
    ifconfig_sis1="inet 192.168.0.1/24"

    resolv_conf_nameservers="YOUR_PRIMARY_NAMESERVER YOUR_SECONDARY_NAMESERVER"
    resolv_conf_search="YOUR_SEARCH_DOMAIN"

    natd_interface="sis0"
    natd_enable="YES"

    dhcpd_enable="YES"
    dhcpd_ifaces="sis1"
    dhcpd_domain_name="YOUR_DOMAIN_FOR_LAN"
    dhcpd_domain_name_servers="NAMESERVER_1_FOR_WORKSTATIONS,NAMESERVER_2_FOR_WORKSTATIONS"

    dhcpd_subnet_sis1_address="192.168.0.0"
    dhcpd_subnet_sis1_netmask="255.255.255.0"
    dhcpd_subnet_sis1_gateway="192.168.0.1"
    dhcpd_subnet_sis1_range_start="192.168.0.100"
    dhcpd_subnet_sis1_range_end="192.168.0.200"

    fw_private_client_blocks="192.168.0.0/24"
    

HOWTO Setting up a CDMA router

Note: WiBSD 2.x only

Install WiBSD and configure rc.conf like:

    hostname="YOUR_HOSTNAME"
    resolv_conf_nameservers="YOUR_PRIMARY_NAMESERVER YOUR_SECONDARY_NAMESERVER"
    resolv_conf_search="YOUR_SEARCH_DOMAIN"

    natd_interface="tun0"
    fw_wan_interface="tun0"

    ppp_conf_enable="YES"
    ppp_conf_include_default_section="YES"
    ppp_conf_sections="cdma"
    ppp_conf_section_cdma_sets="log speed device phone authname authkey timeout"
    ppp_conf_section_cdma_set_log=""
    ppp_conf_section_cdma_set_speed="921600"
    ppp_conf_section_cdma_set_device="/dev/ucom0"
    ppp_conf_section_cdma_set_phone="\"#777\""
    ppp_conf_section_cdma_set_authname="YOUR_PASSWORD"
    ppp_conf_section_cdma_set_authkey="YOUR_USERNAME"
    ppp_conf_section_cdma_set_timeout="0"
    ppp_conf_section_cdma_disables="ipv6 dns"
    ppp_conf_section_cdma_routes="default"
    ppp_conf_section_cdma_route_default="default HISADDR"

    ppp_wdog_enable="YES"

    crontab_lines="$crontab_lines ppp"
    crontab_line_ppp_comment="PPP/natd wdog for CDMA"
    crontab_line_ppp="*/1 * * * * root /usr/local/bin/wdog_ppp.sh -nr cdma >/dev/null"
    

The new Eurotel's AnyDATA modem is also supported, but changes to configuration are needed, look at WiBSD handbook for more information.

And now you can look at Setting up a router with NAT HOWTO.

HOWTO Setting up a DHCPD

Add to rc.conf this:

    dhcpd_enable="YES"
    dhcpd_ifaces="sis1"
    dhcpd_domain_name="YOUR_DOMAIN_FOR_LAN"
    dhcpd_domain_name_servers="NAMESERVER_1_FOR_WORKSTATIONS,NAMESERVER_2_FOR_WORKSTATIONS"

    dhcpd_subnet_sis1_address="192.168.0.0"
    dhcpd_subnet_sis1_netmask="255.255.255.0"
    dhcpd_subnet_sis1_gateway="192.168.0.1"
    dhcpd_subnet_sis1_range_start="192.168.0.100"
    dhcpd_subnet_sis1_range_end="192.168.0.200"

    #
    # use this to define static entries
    dhcpd_max_static_hosts="2"
    # HOST 1
    dhcpd_host_1_hostname="HOST1"
    dhcpd_host_1_hw="00:0f:b0:03:de:1f"
    dhcpd_host_1_ip="192.168.0.10"
    # HOST2
    dhcpd_host_2_hostname="HOST2"
    dhcpd_host_2_hw="00:50:fc:44:2a:83"
    dhcpd_host_2_ip="192.168.1.12"
    

Note: This configuration style is obsolete, consult WiBSD handbook for actual information.

static arp entries for static dhcp client

Please look to WiBSD handbook for info about this feature.

shared-network

WiBSD now supports shared-network for dhcpd, ie. more different networks on one interface using one section in dhcpd.conf. Is it useful if you want for example on interface wi0 offer address 10.0.99.0/24 for unknown clients and address 10.0.98.0/24 for clients based on mac address.

First define subnets names in dhcpd_subnets. If you leave this variable empty, dhcpd_ifaces will be used (for backward compatability). For each subnet, you have to define its interface, and if there are more subnets for one interface, they will be given in one shared-network section. If you do not define interface, subnet name will be taken as interface (for backward compatability).

You don't have to create range for all subnets in one shared network, if you do not create it, no address from that subnet will be offered to client. The main point is that you can create static address mapping from that subnet based on client mac address.

Dhcp server will then be started on all interfaces you have defined subnets on.

example:

    dhcpd_subnets="7 13"
    
    # 7
    dhcpd_subnet_7_address="10.0.99.0"
    dhcpd_subnet_7_netmask="255.255.255.0"
    dhcpd_subnet_7_gateway="10.0.99.1"
    dhcpd_subnet_7_range_start="10.0.99.100"
    dhcpd_subnet_7_range_end="10.0.99.200"
    dhcpd_subnet_7_iface="wi0"
    #
    # 13
    dhcpd_subnet_13_address="10.0.98.0"
    dhcpd_subnet_13_netmask="255.255.255.0"
    dhcpd_subnet_13_gateway="10.0.98.1"
    dhcpd_subnet_13_iface="wi0"
    #
    dhcpd_host_dynamic1_hostname="user1"
    dhcpd_host_dynamic1_hw="00:11:24:a0:1c:59"
    dhcpd_host_dynamic1_ip="10.0.98.50"
    #
	 

HOWTO Setting up a SNMPd

Add to rc.conf this:

    net_snmpd_enable="YES"
    net_snmpd_rocommunity="YOUR_COMMUNITY_PASSWORD"
    net_snmpd_rocommunity_permit_from="YOUR_IP_FROM_WHERE_YOU_RUN_SNMP_CLIENT"
    net_snmpd_disks="$net_snmpd_disks flash"
    net_snmpd_disk_flash="/mnt/flashcard            55%"
    

Start snmpd from commandl line
/usr/local/etc/rc.d/30.snmpd.sh start

HOWTO Configure VPN link using OpenVPN static secret key

On one side of VPN link:

    openvpn_enable="YES"
    openvpn_daemon="YES"
    openvpn_x_secret="-----BEGIN OpenVPN Static key V1-----
    2bfa2a8f969af3439f0134c301538b87
    94a68c9d2dd9237964c9ae6e9c34c4d4
    0123befbc05985cdea31d75f721ce754
    58b0057260cfe28a0d65926c1d44b23d
    2d3fa71ff658c5b32ba4c803a5885520
    bafc2af6fe70f485f5e1bfb6a9ae84c3
    42cbe4f16227c3dfcace44bcf2963f9c
    c94efb22d3de2862957c1df154199cf1
    4756d86d850d7e56df3db7c86886e787
    a00745d9e6046cf7dfb011b9944ef20c
    048a18b091b24b93944fdc5dfba4dd8d
    871ed8dddc709e54a3d749b150f62f95
    32e348283874afcc4fed1ba07d6a3c5b
    846cf1d709d20ddd75fc6ddc40cecf2e
    6ee31fd4af8f2bf9b74906ee4610dbae
    ce70de62d4f09286e14f6ff4e86bdc97
    -----END OpenVPN Static key V1-----"
    # if you are using tun0 for CDMA you have to define openvpn_dev="tun1" 
    openvpn_dev="tun"
    openvpn_remote="VPN2_HOST"
    openvpn_ifconfig="10.99.9.1 10.99.9.2"
    openvpn_port="5001"
    openvpn_proto="udp"
    openvpn_route_delay="2"
    openvpn_route_gateway="10.99.9.2"
    openvpn_verb="5"
    openvpn_keepalive="10 120"
    openvpn_tun_mtu="1255"
    # other static routes
    openvpn_route="10.85.9.0 255.255.255.0"
    

On the other side of VPN link:

    openvpn_enable="YES"
    openvpn_daemon="YES"
    openvpn_secret_key="-----BEGIN OpenVPN Static key V1-----
    2bfa2a8f969af3439f0134c301538b87
    94a68c9d2dd9237964c9ae6e9c34c4d4
    0123befbc05985cdea31d75f721ce754
    58b0057260cfe28a0d65926c1d44b23d
    2d3fa71ff658c5b32ba4c803a5885520
    bafc2af6fe70f485f5e1bfb6a9ae84c3
    42cbe4f16227c3dfcace44bcf2963f9c
    c94efb22d3de2862957c1df154199cf1
    4756d86d850d7e56df3db7c86886e787
    a00745d9e6046cf7dfb011b9944ef20c
    048a18b091b24b93944fdc5dfba4dd8d
    871ed8dddc709e54a3d749b150f62f95
    32e348283874afcc4fed1ba07d6a3c5b
    846cf1d709d20ddd75fc6ddc40cecf2e
    6ee31fd4af8f2bf9b74906ee4610dbae
    ce70de62d4f09286e14f6ff4e86bdc97
    -----END OpenVPN Static key V1-----"
    # if you are using tun0 for CDMA you have to define openvpn_dev="tun1" 
    openvpn_dev="tun"
    openvpn_remote="VPN1_HOST"
    openvpn_ifconfig="10.99.9.2 10.99.9.1"
    openvpn_port="5001"
    openvpn_proto="udp"
    openvpn_route_delay="2"
    openvpn_route_gateway="10.99.9.1"
    openvpn_verb="5"
    openvpn_keepalive="10 120"
    openvpn_tun_mtu="1255"
    # other static routes
    openvpn_route="10.85.9.0 255.255.255.0"
    openvpn_route="10.85.8.0 255.255.255.0"
    

HOWTO Certification Authority and VPN links using OpenVPN PKI

Certification Authority and key generation

This HOWTO will guide you through the creation of Certification Authority, generation of server certificate, client certificate and then OpenVPN configuration on both sides so that at the end we will have a working OpenVPN link between those two boxes.

On the server (or concentrator), prepare for certificates/keys generation. This will initialize some needed variables for you:

    . /etc/defaults/wibsd.conf
    . /etc/rc.conf
    cd $openvpn_x_easy_rsa_root
    . ./vars
    

clean all possible rubish and create a pub-key pair for the certification authority:

    ./clean-all			# be VERY VERY CAREFULL; if you do it after CA
				# creation, you can delete ALL YOUR CERFITICATES
    ./build-ca
    

then create a pair for the server and DH pair:

    ./build-key-server server
    ./build-dh			# on soekris 45xx it takes about 15 minutes
    

and then generate a client's certificate/key pair:

    ./build-key some_fully_qualified_hostname
    

Server configuration

add this to your /etc/rc.conf file:

    openvpn_enable="YES"
    # this is IP range for PTP links that will be created for each
    # client. You can set it as you like, eg. "192.168.10.0 255.255.255.0"
    openvpn_server="10.254.0.0 255.255.0.0"
    openvpn_dev="tun"
    openvpn_proto="udp"
    openvpn_user="root"
    openvpn_group="wheel"
    # we route the whole 10.0.0.0/8 network because we use some
    # 10's C loppbacks that are behind the PTP links. For
    # basic functionality you don't even need that.
    openvpn_route="10.0.0.0 255.0.0.0"
    

Now you have to save all the keys and certificates into the rc.conf. Those files will be then created during the OpenVPN startup. You have to set the location of the files using regular OpenVPN's options and then you must define the content of the files using auxiliary "_x_" variables. See the example server's configuration.

If you want to internally route some particular IP block (must be part of the block from openvpn_route variable of course) to the specific client (OpenVPN 2.0 uses just one tun interface for all VPN connections, so some kind of internal routing must exist here), you set Client Config Dir; some_fully_qualified_hostname is the one mentioned above during the client's pair creation.

    openvpn_x_ccd_clients="xxx"
    openvpn_x_ccd_client_xxx="some_fully_qualified_hostname"
    openvpn_x_ccd_client_xxx="10.10.12.0 255.255.255.0"
    

The configuration above creates a special file in (by default) /usr/local/etc/openvpn/ccd directory.

Client configuration

Now set the OpenVPN configuration on the client's side:

    openvpn_enable="YES"
    openvpn_client="YES"
    openvpn_dev="tun"
    openvpn_remote="YOUR_SERVER_IP"	# set this to the correct IP of the VPN concentrator (server)
    openvpn_nobind="YES"
    openvpn_proto="udp"
    openvpn_user="root"
    openvpn_group="wheel"
    openvpn_ns_cert_type="server"	# DON'T FORGET TO INCLUDE THIS
    

As on server's side, you must include a certificate for the Certification Authority (this certificate is used to verify, that server is what it claims to be) and then certificate and the key of the client. See the real part of client's rc.conf.

Starting the VPN

Start the VPN daemon on the server's side:

    /usr/local/etc/rc.d/75.openvpn.sh start
    

Start the VPN daemon on the client's side:

    /usr/local/etc/rc.d/75.openvpn.sh start
    

And see the tail of /var/log/messages if everything is ok. You can manually check /usr/local/etc/openvpn directory and check if all certificates/keys are properly generated. On server's side only, you can check /usr/local/etc/openvpn/ccd directory if you configured CCD.

Checking the connection

If you did correctly, you should ping from the one end to the other. Note that you cannot ping exactly the opposite side, you must use server's IP if sittion on client and client's IP if sitting on the server. So this is how it looks like on the server's side:


    root@server.site.prg:~# ifconfig tun0
    tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	    inet 10.254.0.1 --> 10.254.0.2 netmask 0xffffffff 
	    Opened by PID 893
    root@server.site.prg:~# 
    root@server.site.prg:~# 
    root@server.site.prg:~# 
    root@server.site.prg:~# ping 10.254.0.6
    PING 10.254.0.6 (10.254.0.6): 56 data bytes
    64 bytes from 10.254.0.6: icmp_seq=0 ttl=64 time=45.296 ms
    64 bytes from 10.254.0.6: icmp_seq=1 ttl=64 time=45.839 ms
    64 bytes from 10.254.0.6: icmp_seq=2 ttl=64 time=43.581 ms
    ^C
    --- 10.254.0.6 ping statistics ---
    3 packets transmitted, 3 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 43.581/44.905/45.839/0.962 ms
    

And this is how it looks like on the client's side:


    root@shewolf.wibsd.cz:~# ifconfig tun0
    tun0: flags=8051<UP,POINTOPOINT,RUNNING,MULTICAST> mtu 1500
	    inet 10.254.0.6 --> 10.254.0.5 netmask 0xffffffff 
	    Opened by PID 1311
    root@shewolf.wibsd.cz:~# 
    root@shewolf.wibsd.cz:~# 
    root@shewolf.wibsd.cz:~# ping 10.254.0.1
    PING 10.254.0.1 (10.254.0.1): 56 data bytes
    64 bytes from 10.254.0.1: icmp_seq=0 ttl=64 time=74.562 ms
    64 bytes from 10.254.0.1: icmp_seq=1 ttl=64 time=38.733 ms
    64 bytes from 10.254.0.1: icmp_seq=2 ttl=64 time=45.143 ms
    64 bytes from 10.254.0.1: icmp_seq=3 ttl=64 time=42.012 ms
    ^C
    --- 10.254.0.1 ping statistics ---
    4 packets transmitted, 4 packets received, 0% packet loss
    round-trip min/avg/max/stddev = 38.733/50.112/74.562/14.297 ms
    

HOWTO Create point-to-multipoint OpenVPN server using users and passwords instead of certificates

First create certification authority, server certificate and secret key as shown above and save them in rc.conf. (clients do not need certificates, but server does)

Please note openvpn_config_delimiter variable. Sometimes in real config file, there should be two lines with the same variable name but different value. It is not possible to accomplish in standard way in rc.conf, you need to use one variable name and delimiter as is shown in example bellow.

Then configure rc.conf link this:

    openvpn_enable="YES"
    openvpn_config_delimiter="_NEXT_"
    openvpn_tls_server="YES"

    openvpn_mode="server"
    openvpn_dev="tap"
    openvpn_proto="tcp-server"
    openvpn_port="5001"
    openvpn_ifconfig="10.150.0.1 255.255.255.0"

    openvpn_ifconfig_pool="10.150.0.65 10.150.0.126 255.255.255.0"
    openvpn_duplicate_cn="YES"

    openvpn_push="\"route-gateway 10.150.0.1\"_NEXT_\"redirect-gateway\"_NEXT_\"dhcp-option DOMAIN out.idc.cz\"_NEXT_\"dhcp-option DNS 1.2.3.4\"_NEXT_\"dhcp-option DNS 4.5.6.7\""

    openvpn_ca="/usr/local/etc/openvpn/ca.crt"
    openvpn_cert="/usr/local/etc/openvpn/server.crt"
    openvpn_key="/usr/local/etc/openvpn/server.key"
    openvpn_dh="/usr/local/etc/openvpn/dh1024.pem"

    openvpn_comp_lzo="YES"
    openvpn_verb="3"
    openvpn_keepalive="10 60"
    
    openvpn_log_append="/var/log/openvpn"
    openvpn_daemon="openvpn"
	 

and append configuration for users/passwords

    openvpn_auth_user_pass_verify="/usr/local/etc/openvpn/auth.sh via-env"
    openvpn_client_cert_not_required="YES"
    openvpn_username_as_common_name="YES"
    
    openvpn_secret_file="/usr/local/etc/openvpn/users"
    openvpn_secret_file_generate="YES"
    
    openvpn_secret_users="USERNAME"
    openvpn_secret_user_USERNAME_password="userpassword"
	 

Client side

You only have to copy public certificate of certification authority to check you are connecting to right server

userpass file contains only two lines, first your username and second your password

up and down directives are paths to files to run after start / before exit. We use them for setting up DNS servers. It is not neccesary to define this.

Client configuration file should look like this:

FreeBSD

Substitue IP_OF_REMOTE_VPN_SERVER by real ip. Correct path to certificate of certification authority and to userpass file.

    remote IP_OF_REMOTE_VPN_SERVER
    tls-client
    dev tap
    proto tcp-client
    port 5001
    pull
    
    ca /usr/local/etc/openvpn/holecek_certs_idc/ca.crt
    auth-user-pass /usr/local/etc/openvpn/holecek_certs_idc/userpass

    up /usr/local/etc/openvpn/up.sh
    down /usr/local/etc/openvpn/down.sh
    
    comp-lzo
    verb 3
    #ping-restart 10
    
    log-append /var/log/openvpn
    status /var/run/openvpn/vpn.status 10
    
    daemon openvpn
    
	 

Mac OS X

Download TunnelBlick package, which containts openvpn for Mac OS X binary, GUI and tun/tap driver and install it.

Configuration file is the same as for FreeBSD, but if you use precompiled binaries, there is no support for reading username and password from file, so you have to substitute this line

    auth-user-pass /usr/local/etc/openvpn/holecek_certs_idc/userpass
	 

by this

    auth-user-pass
    

and system will ask for username and password when connecting to OpenVPN server

Windows

Download OpenVPN binary from www.openvpn.net. There is also grafical user interface for windows here. Install it and create file vpn.ovpn in config directory (usually c:\program files\openvpn\config). It is the same config file as for FreeBSD but remove up and down lines, log-append, status and daemon lines. Correct all paths to files you have in your computer (especially path to certificate of certification authority).

DNS setup

Since OpenVPN is not able to set up dns servers on other systems than Windows, you have to use "up" and "down" scripts, which are run after start and before exit. They can look like this:

up.sh

    #!/bin/sh
    
    resolv_conf_file="/etc/resolv.conf"
    
    # backup old resolv conf
    mkdir -p /var/run/openvpn 2>/dev/null
    cp $resolv_conf_file /var/run/openvpn/original_resolv_conf
    >$resolv_conf_file
    
    options=`set | grep ^foreign_option_ | cut -f1 -d=`
    for option in $options
    do
      value="echo \$$option"
      value=`eval $value`
    
      is_dhcp=`echo $value | grep '^dhcp-option ' | wc -l`
      [ "$is_dhcp" -eq 0 ] && continue
    
      type=`echo $value | awk -F ' ' '{print $2}'`
      parm=`echo $value | awk -F ' ' '{print $3}'`
    
      [ "$type" = "DOMAIN" ] && echo "search $parm" >>$resolv_conf_file
      [ "$type" = "DNS" ] && echo "nameserver $parm" >>$resolv_conf_file
    done
	 

down.sh

    #!/bin/sh

    resolv_conf_file="/etc/resolv.conf"
    [ -r /var/run/openvpn/original_resolv_conf ] && cp /var/run/openvpn/original_resolv_conf $resolv_conf_file
	 

HOWTO Setting up a PPTP VPN server

Install WiBSD and configure rc.conf like that:

    ppp_conf_enable="YES"
    #
    # convention is to use x.x.x.64/26 for clients, x.x.x.32/27 for
    # static IP's
    ppp_conf_section_pptp_set_ifaddr="10.44.44.1 10.44.44.65-10.44.44.126 255.255.255.255"
    #
    #
    pptpd_enable="YES"
    #
    # generating /etc/ppp/ppp.secret file
    ppp_secret_enable="YES"
    ppp_secret_users="jp"
    ppp_secret_user_jp_password="SECRET_KEY"
    # convention is to use x.x.x.32/27 for static IP's
    ppp_secret_user_jp_ip="10.44.44.44"
    #
    # generate pptpd.conf when booting (or not)
    pptpd_conf_enable="YES"
    # option 'noipparam' is very important in FreeBSD 5.x/6.x - it's not working without this option 
    pptpd_conf_commands="option localip remoteip pidfile noipparam"
    pptpd_conf_command_localip="10.44.44.1"
    # convention is to use x.x.x.64/26 for dynamic IP's
    pptpd_conf_command_remoteip="10.44.44.65-126"

    # Optionaly
    # you can use another DNS servers
    ppp_conf_section_pptp_sets="${ppp_conf_section_pptp_sets} dns"
    ppp_conf_section_pptp_set_dns="YOUR_DNS_SERVER"
    
    # Don't forget to allow pptp and gre in firewall
    fw_allowed_access="... pptp gre"
    fw_allowed_pptp_access="any:tcp:1723:setup:x:"
    fw_allowed_access_gre="any:gre:::x:"
    

On client's side, create ppp.conf section like that:

    server:
      set authname "jp"
      set authkey "SECRET_KEY"
      disable dns
    

And then you can connect to the server via PPTP (you must have pptpclient installed; see /usr/ports/net/pptpclient if using FreeBSD):

    pptp server.xxx.cz server
    

HOWTO Setting up local watchdog of services (daemons)

We prepared some local scripts which check if some services are running. You can configure it to crontab to run those scripts periodicaly.

To enable srmgmt_watchdog

    srmgmtd_watchdog_enable="YES"
    crontab_lines="$crontab_lines wdog_srmgmtd"
    crontab_line_wdog_srmgmtd_comment="(wibsd.conf) watch the srmgmtd daemon"
    # check it every 2 minutes
    crontab_line_wdog_srmgmtd="*/2 * * * * root /usr/local/bin/wdog_srmgmtd.sh"
    

To enable temporary pipes when login portal is not accessible

    #=====================================================================
    # enable emergency pipe system if login portal is not accessible. If
    # enabled, every user that tries to login will get a pipe no matter
    # whether he is a valid user or not. No login/password check is
    # performed. We then periodically from crontab check the login portal
    # and when it begins accessible again, all these temporary pipes are
    # deleted which effectively force all users to login via portal as
    # usual.
    sr_ap_temporary_pipes_enable="NO"
    # if login portal is not accessible, use this bandwidth for temporary
    # pipse; bw is in kilobytes
    sr_ap_temporary_pipes_bw="64"
    # you can change this if you run into name collision problem
    sr_ap_temporary_pipes_user_prefix="emerg_user-"
    # probably you will never need change this; if you do, remember that
    # CGI scripts are run under user 'nobody'
    sr_ap_temporary_pipes_db="/tmp/.temp_pipes.db"
    #
    # we need /etc/crontab for this
    crontab_lines="${crontab_lines} temp_pipes"
    crontab_line_temp_pipes_comment="(wibsd.conf) check temporary pipes in srmgmtd"
    crontab_line_temp_pipes="*/2 * * * * root /usr/local/bin/wdog_temp_pipes_system.sh"
    

HOWTO Setting up bind9 as caching only or primary nameserver

General settings

    bind9_enable="YES"

    # Leave bind9_listen_on variable empty to listen on all interfaces,
    # or insert ip address of interface where to listen. 
    # REMEMBER: More addresses MUST be divided by semicolon
    bind9_listen_on=""
    

Caching only nameserver

    bind9_forward_only="YES"
    
    # REMEMBER: More addresses MUST be divided by semicolon
    bind9_forwarders="1.2.3.4; 3.4.5.6"
    

Primary nameserver for domain

first enter symbolic names for zones you want to configure in bind9_zones and their domains in _domain variables

    bind9_forward_only="NO"

    bind9_zones="wibsd"
    bind9_zone_wibsd_domain="wibsd.cz"
    

set necessary SOA record, some variables uses adequate defaults if empty

    bind9_zone_wibsd_serial="2006012001"		# necessary
    bind9_zone_wibsd_refresh="3600"			# default: 3600
    bind9_zone_wibsd_retry="900"			# default: 900
    bind9_zone_wibsd_expire="3600000"			# default: 3600000
    bind9_zone_wibsd_minimum="3600"			# default: 3600
    bind9_zone_wibsd_nameserver="server.wibsd.cz"	# default: ns.{domain}
    bind9_zone_wibsd_email="root@wibsd.cz"		# default: root@{domain}
    

in bind9_zone_?_records insert some symbolic name for each record you want to have

    bind9_zone_wibsd_records="nameserver server mail" 
    

and for each name from _records create its settings

    bind9_zone_wibsd_record_nameserver_name=""
    bind9_zone_wibsd_record_nameserver_type="NS"
    bind9_zone_wibsd_record_nameserver_address="server.wibsd.cz."

    bind9_zone_wibsd_record_server_name="server"
    bind9_zone_wibsd_record_server_type="A"
    bind9_zone_wibsd_record_server_address="192.168.1.1"

    bind9_zone_wibsd_record_mail_name="@"
    bind9_zone_wibsd_record_mail_type="MX	10"
    bind9_zone_wibsd_record_mail_address="server"
    

HOWTO Automatically backup configuration files

In rc.conf set up tftp server address, files to backup and directory on server where to put our files

    backup_tftp_server_ip="192.168.1.1"
    backup_tftp_server_directory="wibsd"
    backup_tftp_files="/etc/rc.conf /etc/rc.firewall"
    

save_config script can called manually after every change or just add it to crontab on right place

    crontab_lines="$crontab_lines saveconfig"
    crontab_line_saveconfig_comment="save our config files every day"
    crontab_line_saveconfig="0 0 * * * root /usr/sbin/save_config"
    

Rememeber that many tftp servers doesn't allow clients to create files and directories, therefore they must exist and have right privileges before the first backuping

HOWTO Simple user accounting for internet access

There is the system called dashboard which allows (in conjuction with srmgmt) to manage users accessing internet through your router

NOTE: It is necessary to have smart router management sw running on your box

If you want to use this, you have to define a few important variables:

Enable this feature by srmgmt_enable="YES" and sr_ap_usermgmt_enable="YES"

sr_ap_usermgmt_multilogin says, that user cannot log in more than ones (ie. if he tries, he will be stoped on old address and access will be allowed only from new address). Setting "NO" to multilogin variable says, that user can log in as many times as he want and from any address.

sr_ap_usermgmt_page_ext_url is address of web page that will be shown on the same page as login page (usually description of your AP or some warning or anything).

    #
    # srmgmt specific configuration
    srmgmt_enable="YES"
    srmgmt_lan_interfaces="wi0"
    # turn NAT translation on/off  (yes/no)
    srmgmt_ap_fw_client_interfaces="wi0"
    srmgmt_ap_fw_allowed_nameservers="$ns1 $ns2"
    srmgmt_ap_accounting_interval="1"

    #
    # SmartRouter simple UserManagement
    sr_ap_usermgmt_enable="YES"
    sr_ap_usermgmt_multilogin="NO"
    sr_ap_usermgmt_page_ext_url="http://www.example.com"
    # a.b.c.d is IP address of www.example.com
    # e.f.g.h is IP address of local thttpd (for ex. 10.0.99.1)
    # srmgmt allows http and https ports for IP addreses on the firewall
    srmgmt_ap_fw_authentication_servers="a.b.c.d e.f.g.h" 
    
Only if you have dynamic IP address of WAN interface (for example CDMA) then you have to setup static rule to firewall. If you have static IP address of WAN srmgmt will add firewall rule automaticaly.
    fw_allowed_access="http"
    fw_allowed_access_http="any:tcp:80:setup keep-state::y"
    

You have to setup where is login page/script stored. We already cooked dashboard.cgi in WiBSD which build a login page from rc.conf variables described bellow. e.f.g.h is IP address of local system (for ex. 10.0.99.1). (See variables with prefix sr_ap_usermgmt_page_)

    #
    # login page
    www_config_inc_redirect="e.f.g.h/dashboard.cgi"

	 

Next, you have to define user names and passwords, maximal bandwidth and idle time as in following example

   sr_ap_usermgmt_users="john tom ian"
   
   sr_ap_usermgmt_user_john_password="hjohnh"
   sr_ap_usermgmt_user_john_bw="512/128"
   sr_ap_usermgmt_user_john_max_idle="100"
   
   sr_ap_usermgmt_user_tom_password="htomh"
   sr_ap_usermgmt_user_tom_bw="212/12"
   sr_ap_usermgmt_user_tom_max_idle="200"
   
   sr_ap_usermgmt_user_ian_password="hianh"
   sr_ap_usermgmt_user_ian_bw="112/28"
   sr_ap_usermgmt_user_ian_max_idle="1800"
	

There is no possibility for users after successfull login to log out. You can solve it with periodically calling dashboard_idle.sh script to remove users with greater idle time than defined in rc.conf. Crontab can be used for this:

   crontab_lines="$crontab_lines dashboard"
   crontab_line_dashboard_comment="delete idle users from srmgmt"
   crontab_line_dashboard="*/5 * * * * root /usr/local/bin/dashboard_idle.sh"
   

There are many other variables, especially for defining how the page will look like. Feel free to change them as you like. You can use HTML also.

   sr_ap_usermgmt_page_title=".: Login portal :."
   sr_ap_usermgmt_page_bgcolor="red"
   sr_ap_usermgmt_page_username="Username: "
   sr_ap_usermgmt_page_password="Password: "
   sr_ap_usermgmt_page_login="Login"
   sr_ap_usermgmt_page_noframes="Frames must be enabled to access this site"
   sr_ap_usermgmt_page_badpassword="Bad username or password"
   sr_ap_usermgmt_page_goodpassword="Okay, you are logged in"
   sr_ap_usermgmt_page_error="Internal error"
	

home   |   contact   |   legal   |   2003-2005 The WiBSD Project. All rights reserved.