Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Since the consensus is they want something that is drop and go, here is the latest image. It has Snort3, AdBlock, banIP, OpenVPN and WireGuard support.
Load it as always, do a rm /.norwits and then reboot At least on that build the networking should be solid.. ItusgatewayImage Yes, it goes in the Gateway slot, but acts in router mode
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Sorry! I did post-edit a link in, but only now realized the few of you who only check the emails wouldn't see it.
https://drive.google.com/file/d/1ZupmVj6vuo4f8ySy-a7rJgoqxxwIKm6C/view?usp=sharing
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Gnomad
Maybe Grommish falling asleep on the keyboard......
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
hahah.. I bricked the Shield and had to recover it.. TFTP of a 100MB file takes... a long time.. (like.. an hour and 40 minutes worth of long time!)
But, it's working now, better than ever actually.. I'm making some real progress.. The "base" image is 17MB. This has network functionality (defaults to router, but can be configured for bridge by hand right now, if that is what someone wants), but nothing else. I'll probably make a separate device image for bridge at some point. Now.. the question is, does anyone know who OWNS the itus.accessinnov.com domain? Would they be open to hosting the ipks and whatnot? I'm not even sure what the size for everything would be (i'll check), but if I have to start hosting it online, I'll have to see what I can do. I've gotten to the point where I am looking for a place to hold the compiled images and .ipks. It looks like we are going to have to maintain our own repo for the packages because I compile with support for the Octeon III rather than just Octeon+ (-march=octeon3), so the OpenWrt official repo comes up as No Valid Architecture. My goal is to make an actual base package people can do what they want with. From there, I can worry about pre-made packages (or just release a auto-configuration package that sets up things like Snort, Adblock, banip, etc)
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Fairly sure this forum is hosted by user8446
From: Grommish [via Itus Networks Owners Forum] <ml+[hidden email]>
Sent: Friday, June 19, 2020 6:01:23 PM To: Turrican <[hidden email]> Subject: Re: Update and decision time. hahah.. I bricked the Shield and had to recover it.. TFTP of a 100MB file takes... a long time.. (like.. an hour and 40 minutes worth of long time!)
But, it's working now, better than ever actually.. I'm making some real progress.. The "base" image is 17MB. This has network functionality (defaults to router, but can be configured for bridge by hand right now, if that is what someone wants), but nothing else. I'll probably make a separate device image for bridge at some point. Now.. the question is, does anyone know who OWNS the itus.accessinnov.com domain? Would they be open to hosting the ipks and whatnot? I'm not even sure what the size for everything would be (i'll check), but if I have to start hosting it online, I'll have to see what I can do. I've gotten to the point where I am looking for a place to hold the compiled images and .ipks. It looks like we are going to have to maintain our own repo for the packages because I compile with support for the Octeon III rather than just Octeon+ (-march=octeon3), so the OpenWrt official repo comes up as No Valid Architecture. My goal is to make an actual base package people can do what they want with. From there, I can worry about pre-made packages (or just release a auto-configuration package that sets up things like Snort, Adblock, banip, etc)
Running Itus Shield v2 Firmware
If you reply to this email, your message will be added to the discussion below:
http://itus.accessinnov.com/FIRMWARE-Itus-Shield-v2-tp2014p2060.html
To start a new topic under Technical Discussion, email ml+[hidden email]
To unsubscribe from [FIRMWARE] Itus Shield v2, click here. NAML
Running v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
In reply to this post by Grommish
Fantastic Grommish - 100MB image installed & running!
How on earth did you get your new image down to 17MB? Does it grow much adding banIp, WireGuard & AdBlock? For hosting ipks and compiled images, you could just continue to host alongside your existing repo as Packages at https://github.com/Grommish/Itus_Shield_v2/packages Or if you'd prefer distinct repos for different aspects, looks like I have rights to create new repositories under https://github.com/ItusShield. Let me know what you need and I should be able to grant you access to each individually from there. (I don't have the ability to add you as a top-level member of ItusShield, but @user8446 does if he's listening in?)
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Some other default packages to consider:
bcp38 Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing stubby Acts as a local DNS Privacy stub resolver (using DNS-over-TLS). Stubby encrypts DNS queries sent from a client machine to a DNS Privacy resolver increasing end user privacy. sqm Smart Queue Management to improve speeds vpn-policy-routing (with OpenVPN / WireGuard) to allow VPNs to apply to specific devices And perhaps consider some of these recommendations.. https://openwrt.org/docs/guide-user/security/secure.access
OpenWrt SNAPSHOT, r10391-3d8d528939
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
In reply to this post by Gnomad
First, thanks to all of you for being awesome during the devel time.. Second, Gnomad, you rock.. I went and created a AWS S3 bucket to hold things (fully expecting to stay within the free tier), but I completely blanked on Github as a resource. That should be totally do-able and it really doesn't matter what the URL is, because you won't ever really see it.. Third, that image you're running contains many, many things. It was a very long journey to figure out why the network did and didn't work sometimes.. Put it this way, that 100MB image file actually has FULL Python3 support :D (among other things) which makes it entirely bloated.. Unless you WANT Python3, which the Shield actually can support.. But.. I've LEARNED things along the way, too. Because the image is RAM resident at boot, AND contains the kernel (in the BIN image, NOT as a vmlinux file!).. it doesn't really get unloaded from RAM, which means my idle when I have the bone-stock image looks like this (Granted, I'm not running ~600MB of RAM towards Snort yet!) ![]() More RAM = More playspace.. Especially if I can figure out a legit upgrade path (and I'm working on it). We will NEVER be able to get away from rebooting the device because of the kernel issue (AFAIK, anyway, I've been wrong before), but we can make it quicker. Right now (again, not counting Snort, which you are running and takes a LOT of resources).. my "boot" time is about 60-70 seconds.. [ 58.465366] IPv6: ADDRCONF(NETDEV_CHANGE): eth0: link becomes readyand the network it up and running..
... [show rest of quote]
See, this is why I would really like to do the platform, rather than a turnkey (I know, I know). This way, anyone who wants whatever can grab it..
I've never heard of bcp38, but I will look at it (and see if it's an OpenWrt package or not).. How does SQM interact with QOS? Are they the same, different, completely different? Currently, pre-installed on the image is DNSMASQ, which acts like the DNS/DHCP resolver and server. I'm sure there is a way to have DNSMASQ use DoH, but I only looked at it quickly in the beginning. So, DoH is a solution, though it would be available only for Router mode, of course.. Wireguard is available.. OpenVPN is available. Both are accessable thru luCi even. I know OpenVPN will work, because I've tested it. Wireguard will work, but I can't test because my VPN doesn't have publicly available WG info (they make you use their client..) but it IS in there for those that can. AND.. For those who REALLY don't like CLI.. I'd added a luCi shell page.. ![]()
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
In the U-Boot firmware:
bridge=mmc dev 1;fatload mmc 1 $(loadaddr) brigdeImage;bootoctlinux $(loadaddr) mem=0 numcores=2 They mispelled bridgeImage as brigdeImage.. So I don't think BRIDGE mode ever really worked.. it would have defaulted to either another image or the recovery image.. Interesting.. I'm just posting it here in case someone run across it in the future :)
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Also, for those who are Linux buffs..
linux_mmc=fatload mmc 1 $(loadaddr) vmlinux.64;bootoctlinux $(loadaddr) mem=0 numcores=2 This was in uBoot as well.. So we could boot a full Linux Distro if I put it on there..
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Well spotted. I've been using your latest image for the last week focusing solely on adblock and found it rock solid even when all sources are ticked (although some failed to download as seen in log) and only using 100MB, I've tried looking for banip but can't seem to find it, i thought you included it? Tried installing with "opkg install banip" but failed to install. Am I right in thinking that banip can be used to ban ips from say any country I choose, like Rusia, Korea as examples? Is It possible to install banip? Roadrunneruk On Sat, 20 Jun 2020 at 23:11, Grommish [via Itus Networks Owners Forum] <[hidden email]> wrote: Also, for those who are Linux buffs.. |
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Depending on the image you have, yes, it should have BanIP in it.. Check the luCi page.
As of right now, opkg is not install anything. Not only is it the wrong build, but the wrong kernel, to what is on the OpenWrt repo. I'm in the process of trying to address that next. I'm building out (or attempting to) ALL of the packages for OpenWrt, built and cross-compiled for our kernel. These I will put on Github, assuming they'll let me house that much data, and then you should be able to grab the base image and install anything you want via opkg. That is the goal I'm after at the moment.
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
And.. TADA..
![]() If you want in on the goodness.. Check out (and I'd recommend following the repo) https://github.com/Grommish/shield_opkgs You can find the Installation image here, just remember to RENAME it to ItusxxxxxxImage (Itusgateway is what I use) before you copy it over. Also, remember to remove your /.norwits file! I'm working towards an upgrade system but that will take much more testing and there isn't any reason to wait for you all. Now.. ONE thing you all have to do if you test this is change out the /etc/opkg/distfeeds.conf file with this one distfeeds.conf, then you can do your opkg update either via CLI or luCI. I did just test this. I installed banip and the luci app for it via the Software tab and opkg repo I made. It not only installed the package, but ALL the deps and libs with it! YAY! I did have to refresh the page for Services to show up tho :p BTW, the reason I didn't bake in the distfeeds.conf change in this round is that if I did, and recompiled, I'd have to re-upload all 1.4GB hehe.. Seems like a waste for something so small.. but it'll be in the next update, although there really isn't all that much left to practically do.
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
And yes, it even does system utilities..
![]()
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Just install latest image 17mb in size, renamed and working but no service tab,
Installed adblock and banip all went well but can't find the luci app which you talked about, I presume you have to install luci to get the service tab. Rebooted started fine. Roadrunneruk |
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Sorted the service tab issue, in my case I installed banip and adblock but you have to install these as well to get the service tab
luci-app-banip luci-app-adblock ![]() Roadrunneruk |
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Right.. I was going to mention that but you had already figured it out already.
![]() The entire buildroot is like that and I don't even think about it anymore or I would have said something. luCI stuff is separated into their own packages (luci-app- is a physically different package than the app itself.) The whole upgrade system is still not-functional, but at least this part is. Something to keep in mind though, is that if you do an opkg search and do NOT see a corrisponding luci-* entry for it, it means there isn't one. No luCi package for Snort, for example: ![]() Lots of luci packages for Adblock, however: ![]() Helpful tip: If you are installing something that HAS a luci hook (like Adblock).. If you install the luci-app-adblock, it'll force the install of Adblock (since it's a dependency of the luci app)
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
It seems I missed at least one default setting (probably more), and I'll put them into the future builds (along with the distfeeds.conf file), but for now.. If you are testing, make sure you enable the following:
uci set firewall.@defaults[0].flow_offloading_hw='1'
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Administrator
|
Heads up, if you've not updated yet, you should hold off. Not because it's bad, but because I have a new image AND a new process for installing it that I'm doing final testing for.
I think we are in the home stretch
Running Itus Shield v2 Firmware
|
Loading... |
Reply to author |
Edit post |
Move post |
Delete this post |
Delete this post and replies |
Change post date |
Print post |
Permalink |
Raw mail |
Can’t wait! Just updated to the latest one but sounds great Grommish
Running v2 Firmware
|
Free forum by Nabble | Edit this page |