OpenWRT 10.03 on Buffalo WZR-HP-G300NH

I’ve been using a Linksys WRT54GL router running DD-WRT for several years now. It runs OpenVPN and fits a surprisingly large number of features into 4 MB of flash and 16 MB of RAM. It has been stable and reliable, but it’s a very under-powered device by modern standards. I haven’t been happy with the pace of DD-WRT development, which takes a very long time to release large, monolithic updates. First I tried to upgrade it to OpenWRT, but the latest release is too large to incorporate OpenVPN in 4 MB of flash. So I replaced it with a Buffalo WZR-HP-G300NH running OpenWRT Backfire 10.03.

Full disclosure: before replacing the WRT54GL router, I tried to downgrade it to an older release of OpenWRT (Kamikaze 8.09.2). I uploaded the wrong firmware and bricked it. Oops. I had already decided to replace it, but this added some urgency.

My reasons for upgrading are mostly technical. I want to install other software packages on the router, such as mtr and tcpdump. This makes debugging infinitely faster and easier. When the going gets tough, the tough sniff packets. The Buffalo also represents a hardware upgrade in virtually every way – flash storage, RAM, CPU, wireless speed, Ethernet speed, and USB support.

However, there are also a bit of politics involved. DD-WRT’s development model is much more “closed” than OpenWRT, and is heavily centralised. OpenWRT is more of a community project and supports external packages in parallel development. Further, DD-WRT tries to store everything in the device NVRAM (non-volatile RAM), while OpenWRT creates a JFFS2 filesystem much more like a typical Linux system. I’d rather use and support OpenWRT as a project, and I think their way is the way forward.

Installation

The OpenWRT page for the WZR-HP-G300NH gives step-by-step instructions on how to install OpenWRT. These steps worked perfectly, so I won’t reproduce them here. I installed the Squashfs image via the TFTP method. After installation, I logged in via telnet and changed the root password.

There is a known issue where SSH doesn’t start for 2-3 minutes after you change the root password. This happened to me but was just a matter of waiting until SSH started.

The hardware takes about 20 seconds to boot up, then waits for firmware by TFTP for 4 seconds, then loads OpenWRT. In total, boot time is about 45 seconds. This is just longer than my Ubuntu 10.04 media PC waits for an address by DHCP, so whenever I reboot the router I have to manually reconnect to the network. Ironically, the PC boots faster than the router. I hope makers of embedded systems follow Ubuntu’s example of speeding up boot times, because the difference is pretty glaring.

Package Management

Packages can be installed from the command-line or from Luci, the web interface. Before you can do so, you must download a package list from OpenWRT using the package manager, opkg. This tool is similar to dpkg or apt-get from Debian. The package list is kept in a RAM disk, so it does not persist across reboots. Before installing, either run opkg update or login to Luci and click “Administration”, then “System -> Software”, and finally “update package list”.

Install packages with opkg install packagename. Some packages, such as dropbear and openssh-client may overwrite the same files, so you must use the --force-overwrite switch if you see something like this:

Solution:

Most packages are configured by the uci command or Luci, and store their preferences in /etc/config.

Remove packages with opkg remove packagename. This does not leave configuration files behind, except for those in /etc/config.

I must say I’m pretty impressed with opkg; it’s an excellent implementation of principles from apt-get and it works very well on such a small platform. It’s certainly much easier to use than DD-WRT, which doesn’t have packages at all. You must select what features you want when you install the firmware, and the choices are slim – standard, micro (small flash), and openvpn are about the only useful choices. It is possible to install OpenWRT packages on DD-WRT devices with sufficient flash, but then why not just use OpenWRT?

Daemons like OpenVPN do not start when they are installed, and they are not configured to start on boot. To do this, either run:

Or use Luci. Go to “Administration”, then “Services -> Initscripts”, and click on both “Enable” and “Start”.

Wireless

Wireless doesn’t work out of the box, but it is easy to install. If you want to use WEP or WPA, install “wpad-mini”. If you want a more advanced mechanism like RADIUS or EAP, install the full “wpad” package. I preferred to install “wpad” rather than “wpad-mini”, so I could support other WPA authentication mechanisms. We’re always talking about replacing pre-shared keys with RADIUS at work, and the difference in package size is minimal, so I installed the full package.

After that I was able to configure wifi using Luci. You can configure multiple wifi networks but I found the ath9k driver (or chipset) didn’t support different encryption settings. For instance, you can have these:

  1. One network with WPA encryption
  2. One network with WPA and one network with no encryption

But you cannot have these:

  1. One network with WPA and one network with WEP
  2. Two WPA networks with different keys

I’ve read that it is possible to do this with software encryption, but it wasn’t sufficiently important to me to continue. If I really want to use my Nintendo DS, I’ll just crack a nearby WEP network or set up a temporary AP on spare hardware I have lying around.

I didn’t test 802.11n wireless, as I have no other hardware which supports it.

USB

The instructions for enabling USB support said to only install the packages you really need. However, the WZR-HP-G300NH has plenty of flash, and I found my FAT32 USB stick wouldn’t mount with just the UTF8 character set installed. So I installed support for all languages and filesystems.

I then configured the USB drive to mount automatically.

I didn’t install Samba support. SSH/SCP/SSHFS works fine for me.

HTTPS

The default installation supports SSH but not HTTPS. This strikes me as a strange choice, but it’s easy to resolve:

Luci didn’t answer HTTPS until I rebooted the router.

SNMP

I like Cacti, and I like graphing my router’s IP throughput. OpenWRT has two SNMP daemons: mini_snmpd and snmpd. Don’t use mini_snmpd. It only supports SNMP 1/2, and it doesn’t care about SNMP community – it gives SNMP data to anybody who asks for it. It also only runs if you install IPv6 support (package kmod-ipv6).

SNMPd doesn’t have a Luci interface, but it is easy to configure from SSH. Login, and edit /etc/config/snmpd. Change the public and private communities to something less obvious, such as a random password generated by pwgen (also installable with opkg).

The private (write) community cannot do much to this device, but I prefer to set it to something very long and then forget about it. Then commit the change and start snmpd (either at command line or Luci’s Initscripts interface).

UPNP, Avahi, and NTP Client

I also installed UPNP, Avahi (MDNS), and NTP client support. UPNP and the NTP client can be configured through Luci, but Avahi doesn’t really have anything to configure. OpenWRT supports rdate out of the box, but I use NTP everywhere else, so why not here?

Enable them using the Luci Initscripts interface.

Utilities

Then I installed all the useful command-line apps that I like to use on routers.

openssh-client is necessary for SSH agent support, which Dropbear’s own SSH client doesn’t offer. I use this with SSHFS to mount my harddrive and dump tcpdump files over the network. This is dangerous, since tcpdump might sniff the SSHFS traffic. Always remember to exclude your own SSH traffic, or bad things will happen:

iptables-utils provides iptables-save, which is a far more sane way to read iptables rules. I can’t even look at normal iptables output any more. fping is ping’s smarter, older, multi-tasking brother. In fact, just try and learn to use all of these utilities. You won’t regret it.

OpenVPN

OpenVPN installation is as easy as the rest:

Next, configure OpenVPN using Luci. It will appear under “Administration”, then “Services -> OpenVPN”. I have an OpenVPN server at work we wish to connect to, so I created a new configuration named “Work”, and then added entries for “Remote host” and “Type of used device” (we use tap, not tun). I then added “Certificate authority”, “Local certificate”, and “Local private key” and uploaded each of the files. I then started OpenVPN using the Initscripts interface.

OpenWRT uses firewall “zones” like “lan” and “wan” to distinguish between outside and inside traffic. Traffic from the “wan” zone which is unknown will be rejected, and traffic from the “lan” group will be masqueraded (NATed) and permitted to exit. This is an excellent design, but it doesn’t have an entry for “vpn”. I tried to create one using Luci (“Administration”, then “Network -> Firewall”), but it doesn’t really work. This is because the firewall loads before OpenVPN. Therefore the tap/tun device does not yet exist, and no rules are added to the firewall to identify the OpenVPN traffic as part of the “vpn” zone. I tried reloading the firewall after OpenVPN, but this caused the WAN interface and VPN to drop, and never worked well no matter how I tried it.

I was really keen on using the Luci interface to configure the firewall, but in the end it was much easier to hack up a solution. I removed my “vpn” zone and just added some lines to /etc/firewall.user. This is a handy hook the developers added, a place to run custom commands after the firewall loads. Here is mine:

This means all traffic to/from VPN interfaces is accepted (“tap+” matches tap0, tap1, etc), and traffic to the VPN is masqueraded. A quick reboot, and the VPN started up, the firewall rules loaded correctly, and everything worked perfectly.

LED Configuration

This part is just plain fun. Using Luci (“Administration”, then “System -> LED Configuration”) you can control the behaviour of the LEDs on the front of the device. They can be set to stay on or off, can blink with activity, and can be tied to any network device. You can even set one to heartbeat at a rate tied to uptime load. On the WZR-HP-G300NH you can control these LEDs on the face: orange “security”, green “wireless” and “router”, red “diag”; and you can also control the blue “USB” light on the back just above the USB port. I was not able to make the USB LED turn on when a USB stick is mounted, but I was able to configure the first three lights on the face, so that I am alerted to activity on the LAN, WAN, and VPN interfaces. It’s nice to have a “lock” icon when the VPN is connected, as this is a useful external indicator of network trouble.

Syslog

OpenWRT supports logging to an external syslog server. Using Luci, see “Administration”, “System -> System”, and add additional field “External system log server”. Local logs are stored in a circular buffer, and are visible in Luci (“Administration”, then “Status -> System Log”) and from the command line with logread -f. This is very helpful for debugging OpenVPN problems like bad certificates and expired certificate due to a bad system time.

QoS

Quality of Service (QoS, or rate shaping) is done by the qos-scripts package:

To configure it, edit /etc/config/qos and set your upload and download rates, and set rules to classify traffic. Then enable and start it using the Luci Initscripts interface. I have a fairly high-bandwidth connection at home and don’t really need QoS, so I don’t use it.

Performance Metrics and Comparison

Total remaining flash storage after all these packages are installed is 17.3 MB. This means the entire system plus my extras are installed in under half the available flash storage. RAM usage just after reboot, while running openvpn, miniupnp, avahi, dnsmasq, ntpclient, dropbear, uhttpd (Luci) with SSL support, and snmpd is 34 MB.

So far it has handled Bittorrent without complaint. Kernel netfilter settings seem to be a fair balance of permissive and careful; TCP timeouts are one hour, UDP timeouts are 60 and 180 seconds, and conntrack can handle up to 16K connections. At 232 bytes each, netfilter connection tracking will consume just under 4 MB of RAM. This is significantly more than the Linksys could support. Edited for brevity:

I compared wifi throughput between a Linksys WRT54GL and the new Buffalo WZR-HP-G300NH. Thankfully I had a spare unit to replace the bricked WRT54GL. Tests were performed using iperf, transmitting UDP datagrams for 30 seconds at various speeds, and monitoring the test with bwm-ng. Data was sent between my gigabit-capable media PC on Ethernet and my laptop on 802.11g wireless. Maximum throughput on the Buffalo is nearly twice as fast as the Linksys:

17.5 mbit – Linksys WRT54GL running DD-WRT v24-sp1
32.5 mbit – Buffalo WZR-HP-G300NH running OpenWRT 10.03

Command Summary

For those that want to quickly install a setup similar to this, just run these commands at the terminal. This is really just for my own notes, in case I need to quickly reinstall.

Warning: the ash command line is limited to 512 characters, which is a little under 7 lines at 80 characters wide. Beware of this when pasting long package lists or commands. The commands above all fit within that restriction.

Conclusions

The Buffalo WZR-HP-G300NH running OpenWRT 10.03 is a serious improvement over the Linksys WRT54GL with DD-WRT v24-sp1. It is capable of higher wired and wireless throughput, can support more software and more TCP/UDP sessions, and is more configurable. One drawback is that everything in DD-WRT is configurable through the web interface, whereas some settings in OpenWRT may only be configured at the command line. For example, DD-WRT offers a GUI for QoS. This is a complicated subject that benefits from a GUI, and in this area I think DD-WRT wins out. However, this is a symptom of features being introduced as packages faster than the GUI can be extended to support them. I’d rather have a feature with a text file interface than no feature at all.

A Buffalo WZR-HP-G300NH can be had from Amazon UK for £69, while a Linksys WRT54GL is £48. If you’re considering buying a new router, buy the Buffalo. If you are thinking about upgrading, 70 quid gets you a very capable improvement on your current router.

Updates

2010-09-30: See my next post for upgrading to the latest OpenWRT release. If you’re installing a new Buffalo WZR-HP-G300NH, I recommend installing 10.03.1-rc3 directly.

2011-10-21: I’ve upgraded to each release in the 10.03.1-rc series since this was written. I advise you to directly install the latest release. See all posts related to OpenWRT.

Tags: ,

  1. Mike’s avatar

    Hi,
    I’m also running OpenWRT 10.03 on the Buffalo, works very well.

    About this comment:
    “Daemons like OpenVPN do not start when they are installed, and they are not configured to start on boot. To start them, either use a command like /etc/init.d/openvpn start or use Luci (“Administration”, then “Services -> Initscripts”).”

    You can use the command ‘/etc/init.d/openvpn enable’ to configure OpenVPN to start on boot.

    Reply

    1. Tyler Wagner’s avatar

      You’re quite right, Mike. I’ll update the post. Thanks!

      Reply

    2. Dennis Birkholz’s avatar

      Hi Tyler,

      i think about replacing my WRT54GL with a new router and this Buffalo came to my mind. How is the speed of the gigabit switch? Can you do a little benchmark for me? Thank you.

      Greets,
      Dennis

      Reply

      1. Tyler Wagner’s avatar

        Hi Dennis,

        Unfortunately, I only have one PC at home with gigabit capability. From that PC to my laptop, which is 100 mbit, iperf sustained 90 mbit/sec consistently (UDP transfer, TCP would perform worse). If I take home another gigabit PC I’ll test it for you.

        Reply

      2. Fernando’s avatar

        Tyler,

        Did you tried installing a printer. I upgraded my router to a wzr-hp-300nh to try to print wirelessly from my canon MP480 but I failed. I tried every single website that I could find online with no luck. I even tried the new canon-cups package which didn’t work for me either. I like the way you explain things so it would be great a to have some info on this.
        Thanks!

        Reply

        1. Tyler Wagner’s avatar

          Sorry, Fernando. Canon support for Linux is and has always been terrible. The fact is, if you want it to work with Linux, do not buy Canon. I always recommend HP for the opposite reason; HP always works with Open Source developers and CUPS.

          Drivers do exist “on the Canon Europe website”, according to openprinting.org, but I doubt you’ll get them to work with OpenWRT.

          Reply

          1. Fernando’s avatar

            Tyler thank you at least now I won’t spend all the time trying to figure it out. I read post online from people saying that they have a cannon printer working with OpenWRT, however because of my basic Linux skills I will wait until new support appears. Thank you again and keep up with your blog, is great!

            Reply

          2. sl33nyc’s avatar

            I loaded OpenWRT Backfire (10.03) and haven’t been able to keep the wireless up. I’m using the router as a client to my actual home router, which happens to be a Broadcom based. I previously discovered problems trying to bridge using WDS b/w Atheros and Broadcom routers, but I’m unsure if I’m experiencing the same problems with just a Atheros client connecting to a Broadcom router. Basically, the Atheros client will connect wireless to my Broadcom router, but the wireless connection (as measured by ping) will get progressively worse until dying usually after ten minutes.

            Does anybody have any advice? Would upgrading to 10.03.1rc3 help?

            Reply

            1. Tyler Wagner’s avatar

              sl33nyc,

              Yes, upgrade to 10.03.1rc3 immediately. I had numerous wireless issues with my Atheros chipset on 10.03. It’s easy to do, and my next post covers the process.

              Reply

            2. Chris’s avatar

              Thank you so much for putting your experience on this blog that detailed. It gave me a lot of pointers to useful utilities that I didn’t know yet.

              Reply

            3. AgentME’s avatar

              Great write-up! I’ve been looking around for a new router to get to run OpenWRT, and was about to settle on the TL-WR1043ND but this one looks great. Looks like it has 4x flash and better network throughput, so the only question was how well it supported OpenWRT.
              Does anyone know if it supports wireless N well with OpenWRT though?

              Reply

              1. Tyler Wagner’s avatar

                I haven’t tested draft-N yet. However, this hardware only supports 2.4 GHz, so if you want to use draft-N at 5 GHz, use a different router.

                See a review of the TL-WR1043ND here, which amusingly recommends the Buffalo WZR-HP-G300NH at the end.

                Reply

              2. Motiejus Jakštys’s avatar

                First I tried to upgrade it to OpenWRT, but the latest release is too large to incorporate OpenVPN in 4 MB of flash. So I replaced it with a Buffalo WZR-HP-G300NH running OpenWRT Backfire 10.03.

                If you are lazy, then yes. :) If not, you have a couple of choices:
                1)
                # opkg --force-space install libopenssl
                # opkg install openvpn

                That’s it! It really fits (still ~200KiB remains in flash with 10.03).

                2) build your own OpenWRT build. You can squeeze much more packages into the so called ROM (don’t remember the exact filesystem, but the one that’s read only), than to the jffs2.

                3) Hack. If you don’t want choice (2) but still lack space, put libopenssl.so.xz to flashdrive and extract it to tmpfs on boot. This saves ~100 extra kilobytes.

                I have OpenVPN, radvd, ipv6 support, proper wget with choice (2). Had a bit less with (3), but OpenVPN worked fine.

                My reasons for upgrading are mostly technical. I want to install other software packages on the router, such as mtr and tcpdump. This makes debugging infinitely faster and easier

                Not really true again. :) You can install those packages to RAM when you need:
                # opkg -d ram install tcpdump
                # /tmp/usr/bin/tcpdump ...

                Reply

                1. Tyler Wagner’s avatar

                  I wasn’t aware of either the “–force-space” or “-d ram” options. Thanks for the tip.

                  If I recall correctly, I wasn’t able to install any packages on the WRT54GL with OpenWRT. It always complained about insufficient space. How much is reserved, and why?

                  Reply

                  1. Motiejus Jakštys’s avatar

                    It downloads the archive to ramfs (which is plenty), checks size of the contents inside. And if size(contents) > space(flash), it stops and complains.

                    However, –force-space works, because jffs2 is compressed by itself, and that check is very conservative (as said, it does not take jffs2 compression into account). So you can install some “more”. But it’s better to roll your own OpenWRT build, it’s similar difficulty like compiling linux kernel (gui is the same). And this option has insanely many options.. You can exclude luci, for instance.

                    You have to be really careful with –force-space option. If it reaches below 32KB while extracting, it’s time to reflash your router. :)

                    Reply

                  2. me’s avatar

                    Hey,

                    how did you manage to monitor your VPN connections? I have added LED sections for interface tap0 into my /etc/config/system file, but depending on the mode ‘link’ or ‘rx tx’ the LED either flashes up all the time (i guess as soon as there is traffic on the wan interface?) or is constantly on… I have no clue on how to monitor if there is a connection or not. Could you please provide the relevant part of your system file?

                    thanks…

                    Reply

                  3. Tyler Wagner’s avatar

                    At the moment I can’t recall if it flashes or not. It definitely turns on when the interface exists. From /etc/config/system:

                    Reply

                    1. me’s avatar

                      Hmmmm, that’s about what I have tried. But the interface already exists right after bootup. At least in my configuration using the openvpn startup script.

                      So for me, the LED flashes all the time, no matter if a VPN client is connected or not. Does it really make a difference in LED behaviour on your system if the client is connected via VPN or not?

                      Reply

                      1. Tyler Wagner’s avatar

                        The tap/tun interface only exists when the VPN tunnel is up. If the tunnel is down, the interface is removed. If I bring down the interface by stopping OpenVPN, the LED does go out.

                        Reply

                        1. me’s avatar

                          Okay, I checked the description of your openvpn config and your router is running as vpn client. Mine is configured as openvpn server, that’s why the tap interface does always exist. Now it all makes sense… I guess I only have to find another way to monitor my vpn connections then ;-)

                          Reply

                          1. Tyler Wagner’s avatar

                            Ah, that would be considerably harder. You’d have to check for one of the following:

                            - Pings to the remote VPN endpoint.
                            - Log messages showing client up/down in the output of “logread”.
                            - If it exists, the content of the /etc/openvpn/openvpn-status.log. Online peers appear here, but the file is uploaded only every few minutes. This exists on a normal OpenVPN server but I can’t imagine OpenWRT defaults to making one.

                            Sounds like a job for a local script.

                            Reply

Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code class="" title="" data-url=""> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre class="" title="" data-url=""> <span class="" title="" data-url="">