{"id":187,"date":"2017-07-31T16:18:14","date_gmt":"2017-07-31T16:18:14","guid":{"rendered":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/?p=187"},"modified":"2017-07-31T16:18:14","modified_gmt":"2017-07-31T16:18:14","slug":"construir-um-router-com-o-banana-pi-r1-parte-iii","status":"publish","type":"post","link":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2017\/07\/31\/construir-um-router-com-o-banana-pi-r1-parte-iii\/","title":{"rendered":"Construir um router com o Banana Pi <span class=\"caps\">R1<\/span> \u2013 Parte&nbsp;<span class=\"caps\">III<\/span>"},"content":{"rendered":"<h2><span class=\"caps\">DSA<\/span>, HostAPD, IPTables e encaminhamento <span class=\"caps\">IP<\/span><\/h2>\n<blockquote><p>Esta \u00e9 a ter\u00adceira parte da s\u00e9rie de arti\u00adgos <strong>Con\u00adstru\u00adir um router com o Banana Pi<\/strong>. Para con\u00adsul\u00adtar a primeira parte, <a href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2017\/06\/10\/construir-um-router-com-o-banana-pi-r1-parte-i\/\">veja aqui<\/a> e para a segun\u00adda parte, <a href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2017\/06\/26\/construir-um-router-com-o-banana-pi-r1-parte-ii\/\">veja aqui<\/a>.<\/p><\/blockquote>\n<p>Na ter\u00adceira parte des\u00adta s\u00e9rie de arti\u00adgos, vou demon\u00adstrar como se insta\u00adlam os tr\u00eas servi\u00e7os b\u00e1si\u00adcos de qual\u00adquer <em>router<\/em> para casa: HostAPD, para aceitar lig\u00ada\u00e7\u00f5es de clientes WiFi, <span class=\"caps\">DHCP<\/span>, para atribui\u00e7\u00e3o de endere\u00e7os <span class=\"caps\">IP<\/span>, e encam\u00adin\u00adhamen\u00adto <span class=\"caps\">IP<\/span>, para, como o nome indi\u00adca, encam\u00adin\u00adhar cor\u00adrec\u00adta\u00admente os pacotes <span class=\"caps\">IP<\/span> de e para a Internet.<\/p>\n<p>Mas, antes dis\u00adso, vou dar con\u00adta de alter\u00ada\u00e7\u00f5es que fiz ao sis\u00adtema oper\u00ada\u00adti\u00advo e ao <em>hard\u00adware<\/em>, em rela\u00e7\u00e3o ao que men\u00adcionei na segun\u00adda&nbsp;parte.<\/p>\n<p><!--more--><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Alteracao_ao_sistema_operativo_e_hardware\"><\/span>Altera\u00e7\u00e3o ao sistema operativo e <em>hardware<\/em><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Nos \u00falti\u00admos dias andei a tes\u00adtar difer\u00adentes con\u00adfig\u00adu\u00adra\u00e7\u00f5es de <em>soft\u00adware<\/em> e <em>hard\u00adware<\/em> por for\u00adma a insta\u00adlar o Banana Pi <span class=\"caps\">R1<\/span> como <em>router<\/em>.<\/p>\n<p>Deparei-me com v\u00e1rios problemas:<\/p>\n<ul>\n<li>O sis\u00adtema oper\u00ada\u00adti\u00advo n\u00e3o era muito actu\u00adal. A ver\u00ads\u00e3o do <em>ker\u00adnel<\/em> do Lin\u00adux era da s\u00e9rie 3.4, que foi lan\u00e7a\u00addo em Maio de&nbsp;2012;<\/li>\n<li>O con\u00adtro\u00adlador WiFi do Banana Pi <span class=\"caps\">R1<\/span> n\u00e3o \u00e9 muito est\u00e1v\u00adel. Este con\u00adtro\u00adlador \u00e9 basea\u00addo no <em>chip<\/em> Real\u00adTek <span class=\"caps\">RTL8192CU<\/span>, que, ain\u00adda por cima, est\u00e1 lig\u00ada\u00addo ao Banana Pi <span class=\"caps\">R1<\/span> por <span class=\"caps\">USB<\/span> (sol\u00adda\u00addo na <em>moth\u00ader\u00adboard<\/em>). Ain\u00adda n\u00e3o con\u00adsegui deter\u00admi\u00adnar se o prob\u00adle\u00adma de esta\u00adbil\u00adi\u00addade \u00e9 cau\u00adsa\u00addo pelo <em>dri\u00adver<\/em> (do ker\u00adnel 3.4) ou do pr\u00f3prio <em>hard\u00adware<\/em>.<\/li>\n<li>Adquiri um adap\u00adta\u00addor WiFi TP-Link <span class=\"caps\">TP-WN722N<\/span> (<span class=\"caps\">USB<\/span>) para usar, mas n\u00e3o con\u00adseguia (por lim\u00adi\u00adta\u00e7\u00f5es do <em>dri\u00adver<\/em>) alter\u00adar o \u201cdom\u00ednio reg\u00adu\u00adlat\u00f3rio\u201d (mais sobre isto \u00e0 frente) para Por\u00adtu\u00adgal, o que, na pr\u00e1ti\u00adca, nos impede de usar os canais WiFi 12 e 13 (fre\u00adqu\u00ean\u00adcias por\u00adta\u00addo\u00adras 2,467GHz e 2,472GHz) que nor\u00admal\u00admente s\u00e3o menos usa\u00addos e, logo, melhores.<\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Versao_do_kernel\"><\/span>Vers\u00e3o do <em>kernel<\/em><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>O <em>ker\u00adnel<\/em> que tin\u00adha insta\u00adl\u00ada\u00addo era a ver\u00ads\u00e3o 3.4.113. Ape\u00adsar de esta ter sido lan\u00e7a\u00adda em Out\u00adubro de 2016, a s\u00e9rie 3.4 j\u00e1 tem mais de 5 anos, pelo que deci\u00addi tes\u00adtar uma ver\u00ads\u00e3o mais recente. Deste modo, mudei a imagem do sis\u00adtema oper\u00ada\u00adti\u00advo para a imagem com o ker\u00adnel 4.9.7 (link direc\u00adto para down\u00adload <a href=\"https:\/\/dl.armbian.com\/lamobo-r1\/archive\/Armbian_5.25_Lamobo-r1_Debian_jessie_next_4.9.7.7z\">https:\/\/dl.armbian.com\/lamobo-r1\/archive\/Armbian_5.25_Lamobo-r1_Debian_jessie_next_4.9.7.7z<\/a>).<\/p>\n<p>Esta ver\u00ads\u00e3o obrigou a alter\u00adar a con\u00adfig\u00adu\u00adra\u00e7\u00e3o do <em>switch<\/em> <span class=\"caps\">BCM53125<\/span>, pois j\u00e1 n\u00e3o \u00e9 pos\u00ads\u00edv\u00adel usar o util\u00adit\u00e1rio <span style=\"font-family: andale mono,monospace;\">swcon\u00adfig<\/span>, que \u00e9 usa\u00addo para definir VLANs para os <em>inter\u00adfaces<\/em> vir\u00adtu\u00adais de rede (<span class=\"caps\">LAN<\/span> e <span class=\"caps\">WAN<\/span>). Ao inv\u00e9s, nes\u00adta ver\u00ads\u00e3o, tem que se usar uma fun\u00adcional\u00adi\u00addade chama\u00adda <span class=\"caps\">DSA<\/span> (<em>Dis\u00adtrib\u00aduted Switch Archi\u00adtec\u00adture<\/em>).<\/p>\n<p>Vis\u00adto isto, a con\u00adfig\u00adu\u00adra\u00e7\u00e3o de VLANs fica&nbsp;assim:<\/p>\n<pre><code>\nip link set eth0 down\nip addr flush eth0\nip link set eth0 up\nip link add link eth0 name eth0.101 type vlan id 101\nip link add link eth0 name eth0.102 type vlan id 102\nip link add name br0 type bridge\nip link add br1 type bridge\nip link set lan1 master br0\nip link set lan2 master br0\nip link set lan3 master br0\nip link set lan4 master br0\nip link set wan master br1\nbridge vlan add vid 101 dev lan1 pvid untagged\nbridge vlan add vid 101 dev lan2 pvid untagged\nbridge vlan add vid 101 dev lan3 pvid untagged\nbridge vlan add vid 101 dev lan4 pvid untagged\nbridge vlan del dev lan1 vid 1 self\nbridge vlan del dev lan2 vid 1 self\nbridge vlan del dev lan3 vid 1 self\nbridge vlan del dev lan4 vid 1 self\nbridge vlan del dev lan1 vid 1 master\nbridge vlan del dev lan2 vid 1 master\nbridge vlan del dev lan3 vid 1 master\nbridge vlan del dev lan4 vid 1 master\nbridge vlan add vid 102 dev wan pvid untagged\nbridge vlan del dev wan vid 1 seld\nbridge vlan del dev wan vid 1 self\nbridge vlan del dev wan vid 1 master\nip link set eth0.101 master br0\nip link set eth0.102 master br1\nip link set br0 up\nip link set lan1 up\nip link set lan2 up\nip link set lan3 up\nip link set lan4 up\nip link set wan up\nip link set br1 up\n<\/code><\/pre>\n<p>Por for\u00adma a inte\u00adgrar a ini\u00adcial\u00adiza\u00ad\u00e7\u00e3o dos <em>inter\u00adfaces<\/em> com o <span style=\"font-family: andale mono,monospace;\">sys\u00adtemd<\/span>, \u00e9 necess\u00e1rio comen\u00adtar as lin\u00adhas <span style=\"font-family: andale mono,monospace;\">ip link set br0 up<\/span> e <span style=\"font-family: andale mono,monospace;\">ip link br1&nbsp;up.<\/span><\/p>\n<p>Com estas duas lin\u00adhas comen\u00adtadas, o ficheiro \/etc\/network\/interfaces fica&nbsp;assim:<\/p>\n<pre>iface lo inet loopback\n\nauto eth0.101\niface eth0.101 inet manual\n\nauto eth0.102\niface eth0.102 inet manual\n\nallow-hotplug wlan0\niface wlan0 inet manual\n\nallow-hotplug wlan1\niface wlan1 inet manual\n\n# WAN\nauto br1\niface br1 inet dhcp\n\n# LAN\nauto br0\niface br0 inet static\n address 192.168.2.254\n netmask 255.255.255.0<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"HostAPD\"><\/span>HostAPD<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>O <em>soft\u00adware<\/em> que per\u00admite a lig\u00ada\u00e7\u00e3o de clientes WiFi a um sis\u00adtema Lin\u00adux \u00e9, tradi\u00adcional\u00admente, o HostAPD.<\/p>\n<p>O HostAPD n\u00e3o vem pr\u00e9-insta\u00adl\u00ada\u00addo no Arm\u00adbian, mas a sua insta\u00adla\u00e7\u00e3o \u00e9 extrema\u00admente simples:<\/p>\n<pre>apt install hostapd<\/pre>\n<p>ou, no caso de se estar a usar o <em>inter\u00adface<\/em> WiFi do Banana Pi ou um adap\u00adta\u00addor exter\u00adno basea\u00addo em <em>chipsets<\/em> RealTek:<\/p>\n<pre>apt install hostapd-realtek<\/pre>\n<p>A con\u00adfig\u00adu\u00adra\u00e7\u00e3o \u00e9 muito sim\u00adples. O ficheiro de con\u00adfig\u00adu\u00adra\u00e7\u00e3o que estou a usar&nbsp;\u00e9:<\/p>\n<pre>ssid=ARMBIAN\ninterface=wlan1\nhw_mode=g\nchannel=11\nbridge=br0\ndriver=nl80211\nwds_sta=1\n\nlogger_syslog=-1\nlogger_syslog_level=0\n\nwmm_enabled=1\nieee80211n=1\nwpa=2\npreamble=1\n\nwpa_passphrase=123456\nwpa_key_mgmt=WPA-PSK\nwpa_pairwise=TKIP\nrsn_pairwise=CCMP\nauth_algs=1\nmacaddr_acl=0\n\nnoscan=1\n\nht_capab=[HT40-][SHORT-GI-40][SHORT-GI-40][DSSS_CCK-40]\ncountry_code=PT\nieee80211d=1<\/pre>\n<p>No caso de se estar a usar a ver\u00ads\u00e3o HostAPD para <em>chipsets<\/em> Real\u00adtek, dev\u00ader-se\u2011\u00e1 sub\u00adsti\u00adtuir a&nbsp;linha<\/p>\n<pre>driver=nl80211<\/pre>\n<p>por<\/p>\n<pre>driver=rtl871xdrv<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"IPTables\"><\/span>IPTables<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Antes de acti\u00advar o encam\u00adin\u00adhamen\u00adto <span class=\"caps\">IP<\/span> no <em>router<\/em>, \u00e9 necess\u00e1rio con\u00adfig\u00adu\u00adrar o IPT\u00ada\u00adbles, que \u00e9 a <em>fire\u00adwall<\/em> pre\u00adsente no&nbsp;Linux.<\/p>\n<p>Uti\u00adlizei as seguintes regras:<\/p>\n<pre>iptables -F\niptables -t nat -F\niptables -A INPUT -i br0 -j ACCEPT\niptables -A INPUT -i lo -j ACCEPT\niptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT\niptables -A FORWARD -s 192.168.2.0\/24 -i br0 -j ACCEPT\niptables -A FORWARD -d 192.168.2.0\/24 -i br1 -j ACCEPT\niptables -t nat -A POSTROUTING -o br1 -j MASQUERADE\niptables -P INPUT DROP\niptables -P FORWARD DROP\nexit 0<\/pre>\n<p>Estas regras acti\u00advam <span class=\"caps\">NAT<\/span> no <em>inter\u00adface<\/em> <span style=\"font-family: andale mono,monospace;\">br1<\/span>, bem como autor\u00adiza\u00ad\u00e7\u00f5es b\u00e1si\u00adcas para entra\u00adda e sa\u00ed\u00adda de pacotes <span class=\"caps\">IP<\/span> na <em>chain<\/em> <span class=\"caps\">FORWARD<\/span>, que \u00e9 a <em>chain<\/em> por onde pas\u00adsam os pacotes <span class=\"caps\">IP<\/span> n\u00e3o des\u00adti\u00adna\u00addos ao pr\u00f3prio <em>router<\/em>. As duas primeiras regras (lin\u00adhas 3 e 4) autor\u00adizam tam\u00adb\u00e9m qual\u00adquer lig\u00ada\u00e7\u00e3o <span class=\"caps\">TCP<\/span> vin\u00adda da rede inter\u00adna (<em>inter\u00adface<\/em> <span style=\"font-family: andale mono,monospace;\">br0<\/span>).<\/p>\n<h2>Encaminhamento <span class=\"caps\">IP<\/span><\/h2>\n<p>Final\u00admente, acti\u00adva-se o encam\u00adin\u00adhamen\u00adto <span class=\"caps\">IP<\/span> com o comando<\/p>\n<pre>echo 1 &gt; \/proc\/sys\/net\/ipv4\/ip_forward<\/pre>\n<p>ou<\/p>\n<pre>sysctl net.ipv4.ip_forward=1<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"Configuracoes_permanentes\"><\/span>Configura\u00e7\u00f5es permanentes<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Como \u00falti\u00admo pas\u00adso, por for\u00adma a faz\u00ader com que estas con\u00adfig\u00adu\u00adra\u00e7\u00f5es fiquem acti\u00advas no arranque do sis\u00adtema, deve-se gravar a con\u00adfig\u00adu\u00adra\u00e7\u00e3o <span class=\"caps\">DSA<\/span> no ficheiro <span style=\"font-family: andale mono,monospace;\">\/etc\/network\/if-pre-up.d\/dsa<\/span>, a con\u00adfig\u00adu\u00adra\u00e7\u00e3o de IPT\u00ada\u00adbles no ficheiro <span style=\"font-family: andale mono,monospace;\">\/etc\/network\/if-pre-up.d\/iptables<\/span>, e edi\u00adtar o ficheiro <span style=\"font-family: andale mono,monospace;\">\/etc\/sysctl.conf<\/span> e procu\u00adrar a lin\u00adha com refer\u00ad\u00ean\u00adcia \u00e0 var\u00adi\u00e1v\u00adel <span style=\"font-family: andale mono,monospace;\">net.ipv4.ip_forward<\/span> e reti\u00adrar o coment\u00e1rio:<\/p>\n<pre>net.ipv4.ip_forward=1<\/pre>\n<p>N\u00e3o esque\u00adcer de&nbsp;fazer<\/p>\n<pre>chmod a+x \/etc\/network\/if-pre-up.d\/dsa\nchmod a+x \/etc\/network\/if-pre-up.d\/iptables<\/pre>\n<p>E pron\u00adto, o nos\u00adso <em>router<\/em> est\u00e1 pron\u00adto a fun\u00adcionar. Para tes\u00adtar a con\u00adfig\u00adu\u00adra\u00e7\u00e3o pode-se ten\u00adtar ago\u00adra faz\u00ader <span style=\"font-family: andale mono,monospace;\">reboot<\/span>.<\/p>\n<p>Na parte <span class=\"caps\">IV<\/span>, falarei de alguns toques finais, como mon\u00adi\u00adtor\u00adiza\u00ad\u00e7\u00e3o e re-encam\u00adin\u00adhamen\u00adto de portas.<\/p>\n","protected":false},"excerpt":{"rendered":"<p><span class=\"caps\">DSA<\/span>, HostAPD, IPT\u00ada\u00adbles e encam\u00adin\u00adhamen\u00adto <span class=\"caps\">IP<\/span> Esta \u00e9 a ter\u00adceira parte da s\u00e9rie de arti\u00adgos Con\u00adstru\u00adir um router com o Banana Pi. Para con\u00adsul\u00adtar a primeira parte, veja aqui e para a segun\u00adda parte, veja aqui. Na ter\u00adceira parte des\u00adta \u2026 <a href=\"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/2017\/07\/31\/construir-um-router-com-o-banana-pi-r1-parte-iii\/\">Con\u00adtin\u00aduar a ler <span class=\"meta-nav\">\u2192<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[2,3,25,9,11],"tags":[],"class_list":["post-187","post","type-post","status-publish","format-standard","hentry","category-administracao","category-configuracao","category-linux","category-redes","category-sistemas-operativos"],"_links":{"self":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts\/187","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/comments?post=187"}],"version-history":[{"count":5,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts\/187\/revisions"}],"predecessor-version":[{"id":197,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/posts\/187\/revisions\/197"}],"wp:attachment":[{"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/media?parent=187"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/categories?post=187"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/trindade.myphotos.cc\/receitasinformaticas\/wp-json\/wp\/v2\/tags?post=187"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}