# Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
-set -eE -o pipefail
-trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
-
+f=/usr/local/lib/bash-bear;test -r $f || { echo "error: $0 no $f" >&2;exit 1;}; . $f
usage() {
cat <<EOF
-usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC]
+usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC] [hostname]
setup my router in general: dhcp, dns, etc.
Type 2 or 3 is for setting up a backup device, there are two kinds so
}
-secrets=false
-if [[ -e /root/router-secrets ]]; then
- secrets=true
- source /root/router-secrets
-fi
-rmac=$(cat /sys/class/net/eth0/address)
-if $secrets; then
- hostname=${rhost[$rmac]}
-fi
-: ${hostname:=wrt}
-
zblock=false
if [[ -e /root/zblock ]]; then
dev2=false
test=false
client=false
+ap=false
libremanage_host=wrt2
lanip=1
while getopts hm:t:yz opt; do
client)
client=true
;;
+ ap)
+ ap=true
+ lanip=53
+ hostname=cmcap
+ ;;
*) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
esac
;;
done
shift "$((OPTIND-1))" # Discard the options and sentinel --
+if [[ $1 ]]; then
+ h=$1
+elif [[ $hostname ]]; then
+ h=$hostname
+else
+ h=cmc
+fi
+
+if [[ ! $hostname ]]; then
+ hostname=$h
+fi
+
+
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+ secrets=true
+ source /root/router-secrets
+fi
+
if [[ ! $mac ]] && ! $test && $secrets; then
# if we wanted to increment it
#mac=${mac:0: -1}$((${mac: -1} + 2))
- mac=${rwmac[$rmac]}
+ mac=${rwmac[$h]}
fi
if (( $# != 0 )); then
lan=10.0.0.0
if $test; then
lan=10.1.0.0
-elif [[ $hostname == cmc ]]; then
+elif [[ $hostname == cmc || $hostname == cmcap ]]; then
lan=10.2.0.0
elif $client; then
lan=10.3.0.0
if $test; then
ssid="gnuv3"
elif $secrets; then
- ssid=${rssid[$rmac]}
+ ssid=${rssid[$h]}
fi
: ${ssid:=librecmc}
if $secrets; then
- key=${rkey[$rmac]}
+ key=${rkey[$h]}
fi
: ${key:=pictionary49}
cidr=16
l=${lan%.0}
-passwd -l root ||: #already locked fails
+# why did we lock this? i don't know
+#passwd -l root ||: #already locked fails
sed -ibak '/^root:/d' /etc/shadow
# /root/router created by manually running passwd then copying the resulting
uset network.lan.ipaddr $l.$lanip
uset network.lan.netmask $mask
-if $dev2 || $client; then
- if $dev2; then
+if $dev2 || $client || $ap; then
+ if $dev2 || $ap; then
uset network.lan.gateway $l.1
uset network.wan.proto none
uset network.wan6.proto none
/etc/init.d/odhcpd stop
/etc/init.d/odhcpd disable
rm -f /etc/resolv.conf
- cat >/etc/resolv.conf <<'EOF'
+ if $ap; then
+ cat >/etc/resolv.conf <<EOF
+nameserver $l.1
+EOF
+ else
+ cat >/etc/resolv.conf <<'EOF'
nameserver 8.8.8.8
nameserver 8.8.4.4
EOF
+ fi
# things i tried to keep dnsmasq running but not enabled except local dns,
# but it didnt work right and i dont need it anyways.
else
# these are the defaults
- uset network.lan.gateway ''
+
+ # this is not needed unless switching from the above condition.
+ # disabling just to debug
+ #uset network.lan.gateway ''
+
uset network.wan.proto dhcp
uset network.wan6.proto dhcpv6
/etc/init.d/dnsmasq start
if $client; then
uset wireless.default_radio0.network 'wwan'
- uset wireless.default_radio0.ssid ${rclientssid[$rmac]}
+ uset wireless.default_radio0.ssid ${rclientssid[$h]}
uset wireless.default_radio0.encryption 'psk2'
uset wireless.default_radio0.device 'radio0'
uset wireless.default_radio0.mode 'sta'
- uset wireless.default_radio0.bssid ${rclientbssid[$rmac]}
+ uset wireless.default_radio0.bssid ${rclientbssid[$h]}
# todo: look into whether 5g network is available.
- uset wireless.default_radio0.key ${rclientkey[$rmac]}
+ uset wireless.default_radio0.key ${rclientkey[$h]}
uset wireless.radio0.disabled false
uset wireless.radio1.disabled true
else
if [[ $mac ]]; then
uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
fi
- # secondary device has wireless disabled
+ # disable/enable. secondary device has wireless disabled
uset wireless.radio$x.disabled $dev2
done
fi
+if grep '^OPENWRT_BOARD="mvebu/cortexa9"' /etc/os-release &>/dev/null; then
+ # todo, I also enabled irqbalance, didnt script it though
+ # https://forum.openwrt.org/t/wrt1900acs-wifi-issue-after-upgrade-from-19-07-to-21-02-vacuum-cleaner-legacy-rate-support/113311/28
+ cat >/etc/rc.local <<'EOF'
+echo "0" >> /sys/kernel/debug/ieee80211/phy0/mwlwifi/tx_amsdu
+echo "0" >> /sys/kernel/debug/ieee80211/phy1/mwlwifi/tx_amsdu
+exit 0
+EOF
+ chmod +x /etc/rc.local
+ /etc/rc.local
+ uset wireless.radio0.disassoc_low_ack 0
+ uset wireless.radio1.disassoc_low_ack 0
+fi
+# found with https://openwrt.org/docs/guide-user/network/wifi/iwchan.
+# However, the default also chooses 11, and better to let it choose in case things change.
+# case $HOSTNAME in
+# cmc)
+# uset wireless.radio0.channel 11
+# ;;
+# esac
# usb, screen, relay are for libremanage
#
# relay package temporarily disabled
# /root/relay_1.0-1_mips_24kc.ipk
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
- tcpdump openvpn-openssl adblock libusb-compat \
- screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync\
- unbound-daemon-heavy unbound-checkconf
+#
+# note: prometheus-node-exporter-lua-openwrt seems to be a dependency of
+# prometheus-node-exporter-lua in practice.
+
+pkgs=(
+ tcpdump
+ screen
+ rsync
+ kmod-usb-storage
+ block-mount
+ kmod-fs-ext4
+ prometheus-node-exporter-lua-openwrt
+ prometheus-node-exporter-lua
+)
+
+if ! $ap; then
+ pkgs+=(
+ unbound-daemon
+ unbound-checkconf
+ )
+fi
+
+v pi "${pkgs[@]}"
+# nfs-kernel-server \
+ # openvpn-openssl adblock libusb-compat \
+ # kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
+
cat >/etc/libremanage.conf <<EOF
${libremanage_host}_type=switch
# v /etc/init.d/nfsd enable
+cedit /etc/config/prometheus-node-exporter-lua <<'EOF' || /etc/init.d/prometheus-node-exporter-lua restart
+config prometheus-node-exporter-lua 'main'
+ option listen_ipv6 '0'
+ option listen_interface 'lan'
+ option listen_port '9100
+EOF
+# default, as of this writing is:
+# config prometheus-node-exporter-lua 'main'
+# option listen_interface 'loopback'
+# option listen_port '9100'
cedit /etc/config/network <<EOF || network_restart=true
config 'route' 'transmission'
option 'interface' 'lan'
- option 'target' '10.173.0.0'
+ option 'target' '10.174.0.0'
option 'netmask' '255.255.0.0'
- option 'gateway' '$l.3'
+ option 'gateway' '$l.2'
option interface 'wg0'
option proto 'wireguard'
list allowed_ips 'fdfd::2/64'
EOF
+# Need to reload before we change dnsmasq to give out
+# static ips in our new range.
if $network_restart; then
v /etc/init.d/network reload
fi
;;
esac
+
cedit /etc/config/firewall <<EOF
## begin no external dns for ziva
config rule
option target ACCEPT
option dest_port 22
+config redirect
+ option name promkd
+ option src wan
+ option src_dport 9091
+ option dest_port 9091
+ option dest_ip $l.2
+ option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 9091
+
config redirect
option name sshkd
option src wan
option target ACCEPT
option dest_port 2202
+# was working on an openvpn server, didn't finish
+# config redirect
+# option name vpnkd
+# option src wan
+# option src_dport 1196
+# option dest_port 1196
+# option dest_ip $l.2
+# option dest lan
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 1196
+
config redirect
option name sshkdalt
option dest_port 2207
config redirect
- option name sshtp
+ option name sshbb8
option src wan
- option src_dport 2208
+ option src_dport 2209
option dest_port 22
- option dest_ip $l.8
+ option dest_ip $l.32
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 2208
+ option dest_port 2209
+
config redirect
- option name sshbb8
+ option name sshfrodo
option src wan
- option src_dport 2209
- option dest_port 22
- option dest_ip $l.9
+ option src_dport 2234
+ option dest_port 34
+ option dest_ip $l.34
option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 2209
+ option dest_port 2234
+
config redirect
option name icecast
option dest_port 8000
config rule
- option name sshwrt
+ option name sshcmc
option src wan
option target ACCEPT
option dest_port 2220
option dest_port $wgport
option proto udp
-
config redirect
- option name httpkd
+ option name navidromehttps
option src wan
- option src_dport 80
+ option src_dport 4500
+ option dest_port 4500
+ option dest_ip $l.2
option dest lan
+config rule
+ option src wan
+ option target ACCEPT
+ option dest_port 4500
+
+config redirect
+ option name navidrome
+ option src wan
+ option src_dport 4533
+ option dest_port 4533
option dest_ip $l.2
- option proto tcp
+ option dest lan
config rule
option src wan
option target ACCEPT
- option dest_port 80
- option proto tcp
+ option dest_port 4533
+
+# So a client can just have i.b8.nz dns even when they
+# are on the lan.
+#config redirect
+# option name navidromelan
+# option src lan
+# option src_dport 4533
+# option dest_port 4533
+# option dest_ip $l.2
+# option dest lan
+
+
+# config redirect
+# option name icecast
+# option src wan
+# option src_dport 8000
+# option dest_port 8000
+# option dest_ip $l.2
+# option dest lan
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 8000
config redirect
- option name httpskd
+ option name http
option src wan
- option src_dport 443
+ option src_dport 80
option dest lan
- option dest_ip $l.2
+ option dest_ip $l.7
option proto tcp
config rule
option src wan
option target ACCEPT
- option dest_port 443
+ option dest_port 80
option proto tcp
config redirect
-option name httpskd8448
+ option name https
option src wan
- option src_dport 8448
+ option src_dport 443
option dest lan
- option dest_ip $l.2
+ option dest_ip $l.7
option proto tcp
config rule
option src wan
option target ACCEPT
- option dest_port 8448
+ option dest_port 443
option proto tcp
+# config redirect
+# option name httpskd8448
+# option src wan
+# option src_dport 8448
+# option dest lan
+# option dest_ip $l.2
+# option proto tcp
+# config rule
+# option src wan
+# option target ACCEPT
+# option dest_port 8448
+# option proto tcp
config redirect
option name syncthing
option dest_port 22001
+#config redirect
+# option name i2p
+# option src wan
+# option src_dport $i2pport
+# option dest_ip $l.178
+# option dest lan
+#config rule
+# option src wan
+# option target ACCEPT
+# option dest_port $i2pport
+
config rule
option name ssh-ipv6
option src wan
option target ACCEPT
option family ipv6
-config rule
- option name http-ipv6
- option src wan
- option dest lan
- option dest_port 80
- option target ACCEPT
- option family ipv6
-
-config rule
- option name https-ipv6
- option src wan
- option dest lan
- option dest_port 443
- option target ACCEPT
- option family ipv6
+# config rule
+# option name http-ipv6
+# option src wan
+# option dest lan
+# option dest_port 80
+# option target ACCEPT
+# option family ipv6
+
+# config rule
+# option name https-ipv6
+# option src wan
+# option dest lan
+# option dest_port 443
+# option target ACCEPT
+# option family ipv6
config rule
option name node-exporter
option target ACCEPT
option family ipv6
-# include a file with users custom iptables rules
-config include
- option path /etc/firewall.user
- option type 'restore'
- option family 'ipv4'
-
-
EOF
}
firewall-cedit || firewall_restart=true
+# firewall comment:
+# not using and in newer wrt, fails, probably due to nonexistent file, error output
+# on:
+
+# Reference error: left-hand side expression is not an array or object
+# In [anonymous function](), file /usr/share/ucode/fw4.uc, line 3137, byte 12:
+# called from function [arrow function] (/usr/share/ucode/fw4.uc:733:71)
+# called from function foreach ([C])
+# called from function [anonymous function] (/usr/share/ucode/fw4.uc:733:72)
+# called from function render_ruleset (/usr/share/firewall4/main.uc:56:24)
+# called from anonymous function (/usr/share/firewall4/main.uc:143:29)
+#
+# ` if (!inc.enabled) {`
+# Near here -------^
+#
+#
+# The rendered ruleset contains errors, not doing firewall restart.
+# /usr/bin/wrt-setup-local:160:error: ""$@"" returned 1
+
+## include a file with users custom iptables rules
+#config include
+# option path /etc/firewall.user
+# option type 'restore'
+# option family 'ipv4'
+
+
+
# not using wireguard for now
# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
# # cant mix cedit plus uci
-cedit /etc/hosts <<EOF
+cedit /etc/hosts <<EOF ||:
127.0.1.1 $hostname
EOF
-# not sure this case statement is needed
-case $hostname in
- cmc)
- cedit host /etc/hosts <<EOF
-$l.1 $hostname
-# 127.0.0.1 www.youtube.com
-# 127.0.0.1 googlevideo.com
-# 127.0.0.1 youtu.be
-# 127.0.0.1 youtube-nocookie.com
-# 127.0.0.1 youtube.com
-# 127.0.0.1 youtube.googleapis.com
-# 127.0.0.1 youtubei.googleapis.com
-# 127.0.0.1 ytimg.com
-# 127.0.0.1 ytimg.l.google.com
-EOF
- ;;
-esac
#mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
# if you delete it, it goes back to the default. this seems
# to be a decent workaround.
# todo: setup /etc/resolv.conf to point to 127.0.0.1
-uset dhcp.@dnsmasq[0].resolvfile /dev/null
+# later note: disabled, I dunno why I set this.
+# uset dhcp.@dnsmasq[0].resolvfile /dev/null
# if dnsmasq happens to not send out a dns server,
# odhcpd will send one out like this:
# so just stop this thing.
# note: tried this, it didn't do anything:
# uset dhcp.@odhcpd[0].dns 10.2.0.1
-/etc/init.d/odhcpd stop
-/etc/init.d/odhcpd disable
+
+# iank, disablde while debugging.
+#/etc/init.d/odhcpd stop
+#/etc/init.d/odhcpd disable
+
# todo: make the above conditional on which server this is.
+## left commented in case we have ipv6 problems in the future
# avoid errors in log. current isp doesnt have ipv6
-uset unbound.@unbound[0].protocol ip4_only
+#uset unbound.@unbound[0].protocol ip4_only
# todo: im not sure all these are needed, but they all look
# like good options.
# to:
# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
-{
- cat <<'EOF'
+if ! $ap; then
+ {
+ cat <<'EOF'
do-tcp: yes
prefetch: yes
qname-minimisation: yes
access-control-view: 10.2.0.31/32 "youtube"
EOF
- if $zblock; then
- cat <<'EOF'
-# amy, amyw, samsungtab
-access-control-view: 10.2.0.8/32 "youtube"
-access-control-view: 10.2.0.23/32 "youtube"
+ if $zblock; then
+ cat <<'EOF'
+# no sy until that dongle is used by ziva
+
+# syw
+#access-control-view: 10.2.0.7/32 "youtube"
+# bow
+access-control-view: 10.2.0.29/32 "youtube"
+# samsungtab
access-control-view: 10.2.0.32/32 "youtube"
EOF
- fi
-} | cedit /etc/unbound/unbound_srv.conf || restart_unbound=true
+ fi
+ } | cedit /etc/unbound/unbound_srv.conf || unbound_restart=true
+
+ # dns based blocking vs ip based. with ip, same
+ # server can have multiple domains. in dns,
+ # you have to make sure clients to use the local dns.
+ # https dns will need to be blocked by ip in
+ # order to be comprehensive
-# dns based blocking vs ip based. with ip, same
-# server can have multiple domains. in dns,
-# you have to make sure clients to use the local dns.
-# https dns will need to be blocked by ip in
-# order to be comprehensive
-cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+ cedit /etc/unbound/unbound_ext.conf <<EOF || unbound_restart=true
+
+$(. /root/ptr-data)
+
local-data-ptr: "10.2.0.1 cmc.b8.nz"
-local-data-ptr: "10.2.0.2 kd.b8.nz"
-local-data-ptr: "10.2.0.3 sy.b8.nz"
-local-data-ptr: "10.2.0.4 wrt2.b8.nz"
-local-data-ptr: "10.2.0.5 x2.b8.nz"
-local-data-ptr: "10.2.0.6 x2w.b8.nz"
-local-data-ptr: "10.2.0.7 syw.b8.nz"
-local-data-ptr: "10.2.0.8 amy.b8.nz"
-local-data-ptr: "10.2.0.9 bb8.b8.nz"
-local-data-ptr: "10.2.0.12 demohost.b8.nz"
-local-data-ptr: "10.2.0.14 wrt3.b8.nz"
-local-data-ptr: "10.2.0.19 brother.b8.nz"
-local-data-ptr: "10.2.0.23 amyw.b8.nz"
-local-data-ptr: "10.2.0.25 hp.b8.nz"
-local-data-ptr: "10.2.0.31 amazontab.b8.nz"
-local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
-local-data-ptr: "10.173.0.2 transmission.b8.nz"
+
+local-data-ptr: "10.174.2.2 transmission.b8.nz"
local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
local-data-ptr: "10.173.8.2 nn.b8.nz"
forward-zone:
name: "."
+# forward-addr: 8.8.8.8
+# forward-addr: 8.8.8.8
+
+# ssl disabled due to this error:
+#Sat Dec 24 03:34:44 2022 daemon.err unbound: [6568:0] error: ssl handshake failed crypto error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed
+#Sat Dec 24 03:34:44 2022 daemon.notice unbound: [6568:0] notice: ssl handshake failed 1.0.0.3 port 853
+# on OPENWRT_RELEASE="OpenWrt SNAPSHOT r18639-f5865452ac"
+# from about feb 2022
+
# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
- forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
- forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
- forward-ssl-upstream: yes
+# forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+# forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+# forward-ssl-upstream: yes
forward-first: no
+ forward-addr: 1.1.1.3
+ forward-addr: 1.0.0.3
view:
name: "youtube"
EOF
-if $restart_unbound; then
- /etc/init.d/unbound restart
- if ! unbound-checkconf; then
- echo $0: error: unbound-checkconf failed >&2
- exit 1
+ if $unbound_restart; then
+ /etc/init.d/unbound restart
+ if ! unbound-checkconf; then
+ echo $0: error: unbound-checkconf failed >&2
+ exit 1
+ fi
fi
-fi
-
-
-# disabled for now. i want to selectively enable it
-# for specific hosts.
-if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
- v uci set adblock.global.adb_enabled=0
- uci commit adblock
- /etc/init.d/adblock restart
-fi
-# https://github.com/openwrt/packages/tree/master/net/adblock/files
-cat >/etc/crontabs/root <<'EOF'
-0 06 * * * /etc/init.d/adblock reload
-EOF
+fi # end if $ap
+
+# # disabled for now. i want to selectively enable it
+# # for specific hosts.
+# if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+# v uci set adblock.global.adb_enabled=0
+# uci commit adblock
+# /etc/init.d/adblock restart
+# fi
+# # https://github.com/openwrt/packages/tree/master/net/adblock/files
+# cat >/etc/crontabs/root <<'EOF'
+# 0 06 * * * /etc/init.d/adblock reload
+# EOF
# useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
# to start.
mkdir -p /mnt/usb/tftpboot
cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
+
# no dns
port=0
server=/b8.nz/#
ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
+# generated with host-info-update
+$(. /root/dnsmasq-data)
+
# https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
stop-dns-rebind
rebind-domain-ok=b8.nz
# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
# To see it in action, I ran this from a client machine:
# sudo dhcpcd -o domain_name_servers -T
-dhcp-option=6,$l.1
+dhcp-option=option:dns-server,$l.1
+# use this when doing fai to get the right timezone, its nfsroot is
+# setup to use this dhcp option only and call ntpdate.
+# generate ips with:
+# for h in 0.ubuntu.pool.ntp.org 1.ubuntu.pool.ntp.org ntp.ubuntu.com; do host -t a $h | awk '{print $NF}'; done | while read -r l; do printf ,$l; done
+dhcp-option=option:ntp-server,188.165.3.28,202.12.97.45,91.236.251.13,50.205.244.23,78.30.254.80,31.131.0.123,202.65.114.202,94.228.220.14,185.125.190.57,185.125.190.58,91.189.91.157,185.125.190.56,91.189.94.4
# results from googling around dnsmasq optimizations
# default dhcp range is 100-150
-# bottom port, iPXE (PCI 03:00.0) in seabios boot menu
-dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
-dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
-# top port, iPXE (PCI 04:00.0) in seabios boot menu
-#dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-# 4 is reserved for a staticly configured host wrt2
-# old x2 with bad fan
-#dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
-dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
-dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
-dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
-dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
-# This is so fai can have an explicit name to use for testing,
-# or else any random machine which did a pxe boot would get
-# reformatted. The mac is from doing a virt-install, cancelling it,
-# and copying the generated mac, so it should be randomish.
-dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
-dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
-# 14 = wrt3
-dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
-# BRN001BA98CA823 in dhcp logs
-dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
-
-dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
-dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
-dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
-dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
-dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
-dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
-
-
-
-# faiserver vm
-dhcp-host=52:54:00:56:09:f9,set:faiserver,$l.15,faiserver
-
-# This is the ip it picks by default if dhcp fails,
-# so might as well use it.
-# hostname is the name it uses according to telnet
-dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
# template
# dhcp-host=,$l.,
-# Just leave the tftp server up even if we aren't doing pxe boot.
-# It has no sensitive info.
-enable-tftp=br-lan
-tftp-root=/mnt/usb/tftpboot
-dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+# pxe tftpboot for arch-like. todo: openwrt snapshot from 2022-01, it cant
+# access /mnt/usb/tftpboot due to ujail sandbox
+#enable-tftp=br-lan
+#tftp-root=/mnt/usb/tftpboot
+#tftp-root=/var/run/dnsmasq/tftpboot
+
+dhcp-optsfile=/var/run/dnsmasq/dhcpopts.conf
+
+# for debugging dhcp
#log-queries=extra
EOF
-if $dnsmasq_restart && ! $dev2; then
+if $dnsmasq_restart && ! $dev2 && ! $ap; then
# todo: can our ptr records be put in /etc/hosts?
# eg: user normal /etc/hosts records, and they wont be used for A resolution
# due to the other settings, but will be used for ptr? then maybe
v /etc/init.d/dnsmasq restart
fi
-if $firewall_restart; then
+if $ap; then
+ v /etc/init.d/firewall disable
+ v /etc/init.d/firewall stop
+elif $firewall_restart; then
v /etc/init.d/firewall restart
fi
+## turn off luci
+# if already stopped, gives error we want to ignore
+/etc/init.d/uhttpd stop |& sed '1{/^Command failed/d}'
+/etc/init.d/uhttpd disable |& sed '1{/^Command failed/d}'
+
# this may just restart the network and take care of the network_restart below.
if $wireless_restart; then
v wifi
reboot
fi
-exit 0
+v exit 0