X-Git-Url: https://iankelling.org/git/?p=automated-distro-installer;a=blobdiff_plain;f=wrt-setup-local;h=cda21df9229b2042b138acdd147ca10417bceb08;hp=4cad00c1797158040c6ec1f66dc90d9a321eaf70;hb=53b932c6f960b7f4a9bd2171cdfd630304f15fd8;hpb=fe81034ee9664d8e131bac218b40d99a58a31649

diff --git a/wrt-setup-local b/wrt-setup-local
index 4cad00c..cda21df 100755
--- a/wrt-setup-local
+++ b/wrt-setup-local
@@ -15,21 +15,22 @@
 # along with this program; if not, write to the Free Software
 # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
+
 set -eE -o pipefail
 trap 'echo "$0:$LINENO:error: \"$BASH_COMMAND\" returned $?" >&2' ERR
 
 
 usage() {
   cat <<EOF
-usage: ${0##*/} [-h] [-t 2|3|test] [-m WIRELESS_MAC]
+usage: ${0##*/} [-h] [-t 2|3|test|client] [-m WIRELESS_MAC] [hostname]
 setup my router in general: dhcp, dns, etc.
 
 Type 2 or 3 is for setting up a backup device, there are two kinds so
 that you can switch the main device to a backup, then a backup to the
 main. Type test is for setting up a testing device.
 
-Passing an empty string for WIRELESS_MAC will cause the device's native
-mac to be used.
+Passing an empty string for WIRELESS_MAC, or if none is defined in the
+secrets file, will cause the device's native mac to be used.
 
 EOF
 
@@ -38,27 +39,20 @@ EOF
 
 
 
+zblock=false
+if [[ -e /root/zblock ]]; then
+  zblock=true
+fi
 
 dnsmasq_restart=false
+unbound_restart=false
 firewall_restart=false
 dev2=false
 test=false
+client=false
 libremanage_host=wrt2
-
-secrets=false
-if [[ -e /root/router-secrets ]]; then
-  secrets=true
-  source /root/router-secrets
-fi
-rmac=$(cat /sys/class/net/eth0/address)
-if $secrets; then
-  hostname=${rhost[$rmac]}
-fi
-: ${hostname:=wrt}
-
-
 lanip=1
-while getopts hm:t: opt; do
+while getopts hm:t:yz opt; do
   case $opt in
     h) usage ;;
     t)
@@ -78,19 +72,44 @@ while getopts hm:t: opt; do
         test)
           test=true
           ;;
+        client)
+          client=true
+          ;;
         *) echo "$0: unexpected arg to -t: $*" >&2; usage 1 ;;
       esac
       ;;
+    y)
+      zblock=false
+      rm -f /root/zblock
+      ;;
+    z)
+      zblock=true
+      touch /root/zblock
+      ;;
     m)  mac=$OPTARG ;;
     *) echo "$0: Internal error! unexpected args: $*" >&2 ; usage 1 ;;
   esac
 done
 shift "$((OPTIND-1))"   # Discard the options and sentinel --
 
+if [[ $1 ]]; then
+  h=$1
+  hostname=$h
+else
+  h=cmc
+  hostname=$h
+fi
+
+secrets=false
+if [[ -e /root/router-secrets ]]; then
+  secrets=true
+  source /root/router-secrets
+fi
+
 if [[ ! $mac ]] && ! $test && $secrets; then
   # if we wanted to increment it
   #mac=${mac:0: -1}$((${mac: -1} + 2))
-  mac=${rwmac[$rmac]}
+  mac=${rwmac[$h]}
 fi
 
 if (( $# != 0 )); then
@@ -182,7 +201,9 @@ udel() {
     eval $restart_var=true
   fi
 }
-
+cedit() {
+  v command cedit -v "$@"
+}
 
 
 ### network config
@@ -192,19 +213,21 @@ if $test; then
   lan=10.1.0.0
 elif [[ $hostname == cmc ]]; then
   lan=10.2.0.0
+elif $client; then
+  lan=10.3.0.0
 fi
 
 if $test; then
   ssid="gnuv3"
 elif $secrets; then
-  ssid=${rssid[$rmac]}
+  ssid=${rssid[$h]}
 fi
 
 : ${ssid:=librecmc}
 
 
 if $secrets; then
-  key=${rkey[$rmac]}
+  key=${rkey[$h]}
 fi
 : ${key:=pictionary49}
 
@@ -259,10 +282,12 @@ fi
 
 uset network.lan.ipaddr $l.$lanip
 uset network.lan.netmask $mask
-if $dev2; then
-  uset network.lan.gateway $l.1
-  uset network.wan.proto none
-  uset network.wan6.proto none
+if $dev2  || $client; then
+  if $dev2; then
+    uset network.lan.gateway $l.1
+    uset network.wan.proto none
+    uset network.wan6.proto none
+  fi
   /etc/init.d/dnsmasq stop
   /etc/init.d/dnsmasq disable
   /etc/init.d/odhcpd stop
@@ -285,7 +310,11 @@ EOF
 
 else
   # these are the defaults
-  uset network.lan.gateway ''
+
+  # this is not needed unless switching from the above condition.
+  # disabling just to debug
+  #uset network.lan.gateway ''
+
   uset network.wan.proto dhcp
   uset network.wan6.proto dhcpv6
   /etc/init.d/dnsmasq start
@@ -296,28 +325,66 @@ else
 fi
 
 wireless_restart=false
-for x in 0 1; do
-  uset wireless.default_radio$x.ssid "$ssid"
-  uset wireless.default_radio$x.key $key
-  uset wireless.default_radio$x.encryption psk2
-  if [[ $mac ]]; then
-    uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
-  fi
-  # secondary device has wireless disabled
-  uset wireless.radio$x.disabled $dev2
-done
 
-if $wireless_restart; then
-  v wifi
+if $client; then
+  uset wireless.default_radio0.network 'wwan'
+  uset wireless.default_radio0.ssid ${rclientssid[$h]}
+  uset wireless.default_radio0.encryption 'psk2'
+  uset wireless.default_radio0.device 'radio0'
+  uset wireless.default_radio0.mode 'sta'
+  uset wireless.default_radio0.bssid ${rclientbssid[$h]}
+  # todo: look into whether 5g network is available.
+  uset wireless.default_radio0.key ${rclientkey[$h]}
+  uset wireless.radio0.disabled false
+  uset wireless.radio1.disabled true
+else
+  # defaults, just reseting in case client config ran
+  uset wireless.default_radio0.network lan
+  uset wireless.default_radio0.mode ap
+  for x in 0 1; do
+    uset wireless.default_radio$x.ssid "$ssid"
+    uset wireless.default_radio$x.key $key
+    uset wireless.default_radio$x.encryption psk2
+    if [[ $mac ]]; then
+      uset wireless.default_radio$x.macaddr $macpre$((macsuf + 2*x))
+    fi
+    # secondary device has wireless disabled
+    uset wireless.radio$x.disabled $dev2
+  done
 fi
 
+if grep '^OPENWRT_BOARD="mvebu/cortexa9"' /etc/os-release &>/dev/null; then
+  # todo, I also enabled irqbalance, didnt script it though
+  # https://forum.openwrt.org/t/wrt1900acs-wifi-issue-after-upgrade-from-19-07-to-21-02-vacuum-cleaner-legacy-rate-support/113311/28
+  cat >/etc/rc.local <<'EOF'
+echo "0" >> /sys/kernel/debug/ieee80211/phy0/mwlwifi/tx_amsdu
+echo "0" >> /sys/kernel/debug/ieee80211/phy1/mwlwifi/tx_amsdu
+exit 0
+EOF
+  chmod +x /etc/rc.local
+  /etc/rc.local
+  uset wireless.radio0.disassoc_low_ack 0
+  uset wireless.radio1.disassoc_low_ack 0
+fi
+case $HOSTNAME in
+  cmc)
+    # found with https://openwrt.org/docs/guide-user/network/wifi/iwchan
+    uset wireless.radio0.channel 11
+    ;;
+esac
 
 
 # usb, screen, relay are for libremanage
 # rsync is for brc
-v pi kmod-usb-storage block-mount kmod-fs-ext4 nfs-kernel-server \
-  tcpdump openvpn-openssl adblock libusb-compat /root/relay_1.0-1_mips_24kc.ipk \
-  screen kmod-usb-serial-cp210x kmod-usb-serial-ftdi rsync
+#
+# relay package temporarily disabled
+# /root/relay_1.0-1_mips_24kc.ipk
+v pi tcpdump screen rsync unbound-daemon unbound-checkconf \
+  kmod-usb-storage block-mount kmod-fs-ext4
+# nfs-kernel-server \
+  #   openvpn-openssl adblock libusb-compat \
+  #   kmod-usb-serial-cp210x kmod-usb-serial-ftdi \
+
 
 cat >/etc/libremanage.conf <<EOF
 ${libremanage_host}_type=switch
@@ -344,7 +411,7 @@ mkdir -p /run/parabolaiso/bootmnt
 
 ## ian: usb broke on old router. if that happens, can just comment this to disable problems
 # echo | cedit /etc/config/fstab ||:
-v cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
+cedit /etc/config/fstab <<EOF || { v block umount; v block mount; }
 config global automount
       option from_fstab 1
       option anon_mount 1
@@ -408,12 +475,12 @@ EOF
 # # I did, and I had to restart the vpn afterwards.
 # # This maps a uci interface to a real interface which is
 # # managed outside of uci.
-# v cedit /etc/config/network <<'EOF' ||:
+# cedit /etc/config/network <<'EOF' ||:
 # config interface 'tun0'
 #         option ifname 'tun0'
 #         option proto 'none'
 # EOF
-# v cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
+# cedit /etc/config/openvpn <<'EOF' || v /etc/init.d/openvpn restart
 # config openvpn my_client_config
 #         option enabled 1
 #         option config /etc/openvpn/client.conf
@@ -423,8 +490,16 @@ wgip4=10.3.0.1/24
 wgip6=fdfd::1/64
 wgport=26000
 
+network_restart=false
+if $client; then
+  cedit wific /etc/config/network <<EOF || network_restart=true
+# https://openwrt.org/docs/guide-user/network/wifi/connect_client_wifi
+config interface 'wwan'
+ option proto 'dhcp'
+EOF
+fi
 
-v cedit /etc/config/network <<EOF || v /etc/init.d/network reload
+cedit /etc/config/network <<EOF || network_restart=true
 config 'route' 'transmission'
  option 'interface' 'lan'
  option 'target' '10.173.0.0'
@@ -446,12 +521,30 @@ config wireguard_wg0 'wgclient'
  list allowed_ips 'fdfd::2/64'
 EOF
 
-
+# Need to reload before we change dnsmasq to give out
+# static ips in our new range.
+if $network_restart; then
+  v /etc/init.d/network reload
+fi
 
 firewall-cedit() {
+
+  if $client; then
+    cedit wific /etc/config/firewall <<EOF
+config zone
+ option name    wwan
+ option input    REJECT
+ option output   ACCEPT
+ option forward  REJECT
+ option masq     1
+ option mtu_fix  1
+ option network  wwan
+EOF
+  fi
+
   case $hostname in
     wrt)
-      v cedit host /etc/config/firewall <<EOF
+      cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
@@ -461,7 +554,7 @@ config redirect
 EOF
       ;;
     cmc)
-      v cedit host /etc/config/firewall <<EOF
+      cedit host /etc/config/firewall <<EOF
 config redirect
  option name ssh
  option src              wan
@@ -472,14 +565,64 @@ EOF
       ;;
   esac
 
-  v cedit /etc/config/firewall <<EOF
+  cedit /etc/config/firewall <<EOF
+## begin no external dns for ziva
+config rule
+ option src  lan
+ option src_ip   10.2.0.23
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.23
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.31
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.31
+ option src_port 53
+ option dest  lan
+ option target REJECT
+
+
+config rule
+ option src  lan
+ option src_ip   10.2.0.32
+ option dest_port 53
+ option dest  wan
+ option target REJECT
+
+
+config rule
+ option src wan
+ option dest_ip   10.2.0.32
+ option src_port 53
+ option dest  lan
+ option target REJECT
+## end no external dns for ziva
+
+
 config rule
  option src              wan
  option target           ACCEPT
  option dest_port        22
 
 config redirect
- option name sshtp
+ option name sshkd
  option src              wan
  option src_dport        2202
  option dest_port        22
@@ -490,6 +633,20 @@ config rule
  option target           ACCEPT
  option dest_port        2202
 
+
+config redirect
+ option name sshkdalt
+ option src              wan
+ option src_dport        8989
+ option dest_port        8989
+ option dest_ip          $l.2
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        8989
+
+
 config redirect
  option name sshx2
  option src              wan
@@ -526,6 +683,18 @@ config rule
  option target           ACCEPT
  option dest_port        2208
 
+config redirect
+ option name sshbb8
+ option src              wan
+ option src_dport        2209
+ option dest_port        22
+ option dest_ip          $l.9
+ option dest             lan
+config rule
+ option src              wan
+ option target           ACCEPT
+ option dest_port        2209
+
 config redirect
  option name icecast
  option src              wan
@@ -553,43 +722,42 @@ config rule
 
 
 config redirect
- option name vpntp
+ option name httpkd
  option src              wan
- option src_dport        1196
+ option src_dport        80
  option dest             lan
- option dest_ip          $l.8
- option proto            udp
+ option dest_ip          $l.2
+ option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        1196
- option proto            udp
-
+ option dest_port        80
+ option proto            tcp
 
 config redirect
- option name httptp
+ option name httpskd
  option src              wan
- option src_dport        80
+ option src_dport        443
  option dest             lan
  option dest_ip          $l.2
  option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        80
+ option dest_port        443
  option proto            tcp
 
 config redirect
- option name httpstp
+option name httpskd8448
  option src              wan
- option src_dport        443
+ option src_dport        8448
  option dest             lan
  option dest_ip          $l.2
  option proto            tcp
 config rule
  option src              wan
  option target           ACCEPT
- option dest_port        443
+ option dest_port        8448
  option proto            tcp
 
 config redirect
@@ -604,6 +772,17 @@ config rule
  option dest_port        22001
 
 
+#config redirect
+# option name i2p
+# option src              wan
+# option src_dport        $i2pport
+# option dest_ip          $l.178
+# option dest             lan
+#config rule
+# option src              wan
+# option target           ACCEPT
+# option dest_port        $i2pport
+
 config rule
  option name ssh-ipv6
  option src wan
@@ -647,52 +826,32 @@ config rule
  option target ACCEPT
  option family ipv6
 
+# include a file with users custom iptables rules
+config include
+	option path /etc/firewall.user
+	option type 'restore'
+	option family 'ipv4'
+
+
 EOF
 }
 firewall-cedit || firewall_restart=true
 
-if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
-  # cant mix cedit plus uci
-  echo | cedit /etc/config/firewall ||:
-  uci add_list firewall.@zone[1].network=wg0
-  uci commit firewall
-  firewall-cedit ||:
-  firewall_restart=true
-fi
+# not using wireguard for now
+# if ! uci get firewall.@zone[1].network | grep wg0 &>/dev/null; then
+#   # cant mix cedit plus uci
+#   echo | cedit /etc/config/firewall ||:
+#   uci add_list firewall.@zone[1].network=wg0
+#   uci commit firewall
+#   firewall-cedit ||:
+#   firewall_restart=true
+# fi
 
 
 
-v cedit /etc/hosts <<EOF || dnsmasq_restart=true
+cedit /etc/hosts <<EOF ||:
 127.0.1.1 $hostname
-#$l.7 x3
-$l.12 demohost
-$l.13 trp
-72.14.176.105 li
-2600:3c00::f03c:91ff:fe6d:baf8 li
-
-# netns creation looks for next free subnet starting at 10.173, but I only
-# use one, and I would keep this one as the first created.
-10.173.0.2 transmission
-EOF
-case $hostname in
-  cmc)
-    v cedit host /etc/hosts <<EOF || dnsmasq_restart=true
-$l.1 $hostname
-$l.2 kd b8.nz
-#$l.3 frodo
-$l.4 wrt2
-$l.5 x2 faiserver
-$l.6 x2w
-$l.7 rp
-$l.8 tp
-$l.9 bb8
-$l.14 wrt3
-#$l.18 x3
-$l.19 brother
-#$l.28 frodow
 EOF
-    ;;
-esac
 
 
 #mail_host=$(grep -F mail.iankelling.org /etc/hosts | awk '{print $1}')
@@ -702,52 +861,172 @@ esac
 
 
 uset dhcp.@dnsmasq[0].domain b8.nz
-uset dhcp.@dnsmasq[0].local /b8.nz/
 uset system.@system[0].hostname $hostname
+uset dhcp.@dnsmasq[0].local
+
 # uci doesnt seem to have a way to set an empty value,
 # if you delete it, it goes back to the default. this seems
 # to be a decent workaround.
 # todo: setup /etc/resolv.conf to point to 127.0.0.1
-uset dhcp.@dnsmasq[0].resolvfile=/dev/null
-
-# disabled for now. i want to selectively enable it
-# for specific hosts.
-if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
-  v uci set adblock.global.adb_enabled=0
-  uci commit adblock
-  /etc/init.d/adblock restart
-fi
-# https://github.com/openwrt/packages/tree/master/net/adblock/files
-cat >/etc/crontabs/root <<'EOF'
-0 06 * * *    /etc/init.d/adblock reload
+# later note: disabled, I dunno why I set this.
+# uset dhcp.@dnsmasq[0].resolvfile /dev/null
+
+# if dnsmasq happens to not send out a dns server,
+# odhcpd will send one out like this:
+# NetworkManager[953]: <info>  [1614982580.5192] dhcp6 (wlan0): option dhcp6_name_servers   => 'fd58:5801:8e02::1'
+# but i dont want ipv6 dns, just keep it simple to ipv4.
+# I know my isp doesnt have ipv6 right now,
+# so just stop this thing.
+# note: tried this, it didn't do anything:
+# uset dhcp.@odhcpd[0].dns 10.2.0.1
+
+# iank, disabled while debugging.
+#/etc/init.d/odhcpd stop
+#/etc/init.d/odhcpd disable
+
+# todo: make the above conditional on which server this is.
+
+# avoid errors in log. current isp doesnt have ipv6
+uset unbound.@unbound[0].protocol ip4_only
+
+# todo: im not sure all these are needed, but they all look
+# like good options.
+# https://blog.cloudflare.com/dns-over-tls-for-openwrt/
+# https://gist.github.com/vqiu/7b32d3a19a7a09d32e108d998de166c2
+#https://blog.thestateofme.com/2018/04/04/howto-secure-your-dns-with-a-raspberry-pi-unbound-and-cloudflare-1-1-1-1/
+#
+# # i found that the zone example was having no effect on the config
+# # here:
+# https://github.com/openwrt/packages/blob/openwrt-19.07/net/unbound/files/README.md
+#
+# # todo: unbound-control, i'm not sure what the purpose of that thing is, some
+# # kind of coordination with dhcp of dnsmasq, but what?
+#
+# note: for debugging, edit /etc/init.d/unbound, change
+# procd_set_param command $PROG -d -c $UB_TOTAL_CONF
+# to:
+# procd_set_param command $PROG -vvv -d -c $UB_TOTAL_CONF
+
+{
+  cat <<'EOF'
+do-tcp: yes
+prefetch: yes
+qname-minimisation: yes
+rrset-roundrobin: yes
+use-caps-for-id: yes
+do-ip6: no
+private-domain: b8.nz
+local-zone: "10.in-addr.arpa." transparent
+access-control-view: 10.2.0.31/32 "youtube"
+EOF
+
+  if $zblock; then
+    cat <<'EOF'
+# amy, amyw, samsungtab
+access-control-view: 10.2.0.8/32 "youtube"
+access-control-view: 10.2.0.23/32 "youtube"
+access-control-view: 10.2.0.32/32 "youtube"
+EOF
+  fi
+} | cedit /etc/unbound/unbound_srv.conf  || restart_unbound=true
+
+
+# dns based blocking vs ip based. with ip, same
+# server can have multiple domains. in dns,
+# you have to make sure clients to use the local dns.
+# https dns will need to be blocked by ip in
+# order to be comprehensive
+
+cedit /etc/unbound/unbound_ext.conf <<'EOF' || restart_unbound=true
+local-data-ptr: "10.2.0.1 cmc.b8.nz"
+local-data-ptr: "10.2.0.2 kd.b8.nz"
+local-data-ptr: "10.2.0.3 sy.b8.nz"
+local-data-ptr: "10.2.0.4 wrt2.b8.nz"
+local-data-ptr: "10.2.0.5 x2.b8.nz"
+local-data-ptr: "10.2.0.6 x2w.b8.nz"
+local-data-ptr: "10.2.0.7 syw.b8.nz"
+local-data-ptr: "10.2.0.8 amy.b8.nz"
+local-data-ptr: "10.2.0.9 bb8.b8.nz"
+local-data-ptr: "10.2.0.12 demohost.b8.nz"
+local-data-ptr: "10.2.0.14 wrt3.b8.nz"
+local-data-ptr: "10.2.0.19 brother.b8.nz"
+local-data-ptr: "10.2.0.23 amyw.b8.nz"
+local-data-ptr: "10.2.0.25 hp.b8.nz"
+local-data-ptr: "10.2.0.31 amazontab.b8.nz"
+local-data-ptr: "10.2.0.32 samsungtab.b8.nz"
+local-data-ptr: "10.173.0.2 transmission.b8.nz"
+local-data-ptr: "10.173.8.1 defaultnn.b8.nz"
+local-data-ptr: "10.173.8.2 nn.b8.nz"
+
+forward-zone:
+  name: "."
+# https://developers.cloudflare.com/1.1.1.1/1.1.1.1-for-families/setup-instructions/dns-over-https
+  forward-addr: 1.1.1.3@853#family.cloudflare-dns.com
+  forward-addr: 1.0.0.3@853#family.cloudflare-dns.com
+  forward-ssl-upstream: yes
+  forward-first: no
+
+view:
+  name: "youtube"
+  local-zone: "googlevideo.com." refuse
+  local-zone: "video.google.com." refuse
+  local-zone: "youtu.be." refuse
+  local-zone: "youtube-nocookie.com." refuse
+  local-zone: "youtube-ui.l.google.com." refuse
+  local-zone: "youtube.com." refuse
+  local-zone: "youtube.googleapis.com." refuse
+  local-zone: "youtubeeducation.com." refuse
+  local-zone: "youtubei.googleapis.com." refuse
+  local-zone: "yt3.ggpht.com." refuse
+  local-zone: "youtubekids.com." refuse
+  # try global if no match in view
+  view-first: yes
 EOF
 
 
+if $restart_unbound; then
+  /etc/init.d/unbound restart
+  if ! unbound-checkconf; then
+    echo $0: error: unbound-checkconf failed >&2
+    exit 1
+  fi
+fi
+
+
+# # disabled for now. i want to selectively enable it
+# # for specific hosts.
+# if [[ $(uci get adblock.global.adb_enabled) != 0 ]]; then
+#   v uci set adblock.global.adb_enabled=0
+#   uci commit adblock
+#   /etc/init.d/adblock restart
+# fi
+# # https://github.com/openwrt/packages/tree/master/net/adblock/files
+# cat >/etc/crontabs/root <<'EOF'
+# 0 06 * * *    /etc/init.d/adblock reload
+# EOF
+
+
 # useful: http://wiki.openwrt.org/doc/howto/dhcp.dnsmasq
 
 # sometimes /mnt/usb fails, cuz it's just a flash drive,
 # so make sure we have this dir or else dnsmasq will fail
 # to start.
 mkdir -p /mnt/usb/tftpboot
-v cedit /etc/dnsmasq.conf <<EOF || dnsmasq_restart=true
-server=/dmarctest.b8.nz/#
-server=/_domainkey.b8.nz/#
-server=/_dmarc.b8.nz/#
-server=/ns1.b8.nz/#
-server=/ns2.b8.nz/#
-server=/bk.b8.nz/#
-server=/je.b8.nz/#
-mx-host=b8.nz,mail.iankelling.org,10
-txt-record=b8.nz,"v=spf1 a ?all"
-
+cedit /etc/dnsmasq.conf  <<EOF || dnsmasq_restart=true
+# no dns
+port=0
+server=/b8.nz/#
+ptr-record=1.0.2.10.in-addr.arpa.,cmc.b8.nz
 
 # https://ret2got.wordpress.com/2018/01/19/how-your-ethereum-can-be-stolen-using-dns-rebinding/
 stop-dns-rebind
+rebind-domain-ok=b8.nz
 
-# this says the ip of default gateway and dns server,
-# but I think they are unneded and default
-#dhcp-option=3,$l.1
-#dhcp-option=6,$l.1
+# This says the ip of dns server.
+# It is default if dnsmasq is doing dns, otherwise, we have to specify it.
+# To see it in action, I ran this from a client machine:
+# sudo dhcpcd -o domain_name_servers -T
+dhcp-option=6,$l.1
 
 
 
@@ -768,38 +1047,57 @@ all-servers
 # download namebench and run it like this:
 # for x in all regional isp global preferred nearby; do ./namebench.py -s \$x -c US -i firefox -m weighted -J 10 -w; echo \$x; hr;  done
 # google
-server=8.8.4.4
-server=8.8.8.8
-server=2001:4860:4860::8888
-server=2001:4860:4860::8844
+server=1.1.1.3
+server=1.0.0.3
+server=2606:4700:4700::1113
+server=2606:4700:4700::1003
+
+server=10.2.0.1
+# server=8.8.4.4
+# server=8.8.8.8
+# server=2001:4860:4860::8888
+# server=2001:4860:4860::8844
 
 
 # to fixup existin ips, on the client you can do
 # sudo dhclient -r; sudo dhclient <interface-name>
+# or on cmc,
+# /etc/init.d/dnsmasq stop
+# vi /tmp/dhcp.leases
+# /etc/init.d/dnsmasq start
+
 
 # default dhcp range is 100-150
 # bottom port,  iPXE (PCI 03:00.0) in seabios boot menu
 dhcp-host=c8:60:00:31:6b:75,set:kd,$l.2,kd
+dhcp-host=94:05:bb:1e:2c:2e,set:sy,$l.3,sy
 # top port, iPXE (PCI 04:00.0) in seabios boot menu
 #dhcp-host=c8:60:00:2b:15:07,set:kd,$l.2,kd
-dhcp-host=00:26:18:97:bb:16,set:frodo,$l.3,frodo
 # 4 is reserved for a staticly configured host wrt2
 # old x2 with bad fan
 #dhcp-host=00:1f:16:16:39:24,set:x2,$l.5,x2
 dhcp-host=f0:de:f1:81:ec:88,set:x2,$l.5,x2
 dhcp-host=c4:8e:8f:44:f5:63,set:x2w,$l.6,x2w
+dhcp-host=34:7d:f6:ed:ec:07,set:syw,$l.7,syw
+dhcp-host=80:fa:5b:1c:6e:cf,set:amy,$l.8,amy
 # This is so fai can have an explicit name to use for testing,
 # or else any random machine which did a pxe boot would get
 # reformatted. The mac is from doing a virt-install, cancelling it,
 # and copying the generated mac, so it should be randomish.
-dhcp-host=fa:08:f8:4c:14:1c,set:tp,$l.7,rp
-dhcp-host=80:fa:5b:1c:6e:cf,set:tp,$l.8,tp
 dhcp-host=52:54:00:9c:ef:ad,set:demohost,$l.12,demohost
 dhcp-host=62:03:cb:a8:3e:a3,set:trp,$1.13,trp
-dhcp-host=00:1f:16:14:01:d8,set:tp,$l.18,x3
+# 14 = wrt3
+dhcp-host=00:1f:16:14:01:d8,set:x3,$l.18,x3
 # BRN001BA98CA823 in dhcp logs
-dhcp-host=00:1b:a9:8c:a8:23,set:tp,$l.19,brother
+dhcp-host=00:1b:a9:8c:a8:23,set:brother,$l.19,brother
+
+dhcp-host=00:26:b6:f7:d4:d8,set:amyw,$l.23,amyw
+dhcp-host=9a:c6:52:6f:ce:7c,set:onep9,$l.24,onep9
+dhcp-host=38:63:bb:07:5a:f9,set:hp,$l.25,hp
 dhcp-host=00:26:b6:f6:0f:e9,set:frodow,$l.28,frodow
+dhcp-host=6c:56:97:88:7b:74,set:amazontab,$l.31,amazontab
+dhcp-host=0a:8a:9b:cf:b5:ec,set:samsungtab,$l.32,samsungtab
+
 
 
 # faiserver vm
@@ -813,19 +1111,30 @@ dhcp-host=b4:75:0e:94:29:ca,set:switch9429ca,$l.251,switch9429ca
 # template
 # dhcp-host=,$l.,
 
-# Just leave the tftp server up even if we aren't doing pxe boot.
-# It has no sensitive info.
-enable-tftp=br-lan
-tftp-root=/mnt/usb/tftpboot
-dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
+# uncomment to do tftpboot. openwrt snapshot from 2022-01, seems like it cant
+# access /mnt/usb/tftpboot due to some jail or sandbox thing
+#enable-tftp=br-lan
+#tftp-root=/mnt/usb/tftpboot
+#dhcp-optsfile=/etc/dnsmasq-dhcpopts.conf
 
 #log-queries=extra
 EOF
 
 
-
-
 if $dnsmasq_restart && ! $dev2; then
+  # todo: can our ptr records be put in /etc/hosts?
+  # eg: user normal /etc/hosts records, and they wont be used for A resolution
+  # due to the other settings, but will be used for ptr? then maybe
+  # we dont have to restart dnsmasq for a dns update?
+  #
+  # interesing link:
+  # https://www.redpill-linpro.com/techblog/2019/08/27/evaluating-local-dnssec-validators.html#toggling-dnssec-validation-1
+  # we could turn on dnssec validation when wrt gets dnsmasq > 2.80. currently at 2.80.
+  # also we can turn off dnssec in systemd-resolved if we know the router is doing it.
+  #
+  # Also, reload of dnsmasq seems to break things, wifi
+  # clients were not getting internet connectivity.
+
   v /etc/init.d/dnsmasq restart
 fi
 
@@ -833,6 +1142,10 @@ if $firewall_restart; then
   v /etc/init.d/firewall restart
 fi
 
+# this may just restart the network and take care of the network_restart below.
+if $wireless_restart; then
+  v wifi
+fi
 
 # todo: we should catch errors and still run this if needed
 if $network_restart; then