Saturday, March 28, 2009

Linksys & DD-WRT Tinkering

I actually performed this upgrade quite a while ago. Just trying to play catch-up with some documentation.

In this post I cover installation, general setup, OpenDNS, and Dynamic DNS.

DD-WRT is a free firmware upgrade for most consumer routers. It adds a great deal of functionality and control to your router that otherwise might not be available.

I was in need of a wireless router and knew I wanted to put DD-WRT on it, so I bought a Linksys WRT54GL - reported to be the most compatible and easiest to upgrade. And indeed it is.

Installation

Following the instructions on the install page for WRT54GL I was able to flash the firmware without any problems and had a new, stable, and better router. (Each router install is different depending on the model. Instructions for other routers can be found here.)

After I had been using it for a few months a new version was released so I performed an upgrade to v24-sp1. The following setup instructions are specific to v24-sp1.

Setup

When making changes in the setup I found that it works best if, after making all the changes needed on a page, click the Save button, then click the Apply Settings button. If you don't click on the Save button then the changes made will be lost if you change pages. And I have run into problems of the router hanging and not responding if I click on Apply Settings before clicking on Save. (In these cases the router continues to function but doesn't respond to the web interface, even days later. Only a reboot snaps it out of this state.)

Some of the changes I made to the router setup are as follows (your needs may vary):

Administration - Management
Obviously, the first thing to do is change the default password.

Wireless - Basic Settings
Wireless mode - AP
Wireless network mode - mixed
Wireless Network Name (SSID) - (change this, don't leave it as default)

I had originally set Wireless SSID broadcast to Disable (for additional security), but our Wii game console can't find wireless networks that aren't broadcasting the SSID, so I had to change it back to Enable.

Wireless - Wireless Security
Security mode - WPA Personal
WPA Algorithms - TKIP
WPA Shared Key - ************* (Right - like I'm giving this out, but be sure to set it and remember it. If you forget it then you can unmask it.)

Wireless - Advanced Settings
The TX power can be changed here. It's default is 70 and I left it there. But it can be boosted for better performance if necessary. The older version used to recommend a max, but I can't remember what it was. 100 I think. But it can be cranked up to 251mW which is probably not a good idea.

Services - Services

DHCP Server
The router has a built in DHCP server, but in addition to leasing dynamic IPs I wanted it to lease static IPs to the known computers on the network. I looked up each computer's MAC address under Status - LAN and assigned each one a static IP address. This way each computer can continue to use DHCP (for easier setup) but use a static IP so I can find them on the network.

DNSMasq
DNSMasq - Enable
Local DNS - Enable
Additional DNSMasq Options: strict-order

These settings are for use with OpenDNS. See below.

RFlow / MACupd
This service is for use with RFlow Collector. I've got a Windows server setup with RFlow Collector that I can use to monitor network and internet traffic. Yes, I snoop on my own network. I do this mainly because I can (like most things I do) and because I'm curious. Also partially because if I experience network problems it's another place to look when troubleshooting.

RFlow - Enable
Server IP - (enter server IP here)
Port - 2055 (default)
MACupd - Enable
Server IP - (same as above)
Port - 2056 (default)
Interface - LAN & WLAN
Interval - 10

On the server side I had to setup MySQL and RFlow Collector. Instructions here.

To view the logs I created a Microsoft Access front-end that imports the data from the MySQL tables (shared over an ODBC link) with queries that help to make sense out of it.

Secure Shell
I want to be able to SSH into the router. This is for a variety of reasons: troubleshooting, remote network access, etc. With a dynamic DNS service (more on that later) I could SSH from anywhere in the world with internet access.

SSHd - enable
SSH TCP Forwarding - Disable
Password Login - Disable
Port - (changed) I did not leave these as the default 22 for security reasons
Authorized Keys - (enter public key here)

A few notes: I used public key authentication instead of password authentication here. Again, for security reasons. Without password authentication the router can't be hacked by guessing the password. The one disadvantage is that without my private key, I can't get into it either. More information on this and how to setup public/private key pairs can be found here.

NAT/QoS - Portforwarding
I have a webserver (that I'm really not doing anything noteworthy with at the moment, but have plans) so I use portforwarding to make the webserver visible to the internet.

Application - webserver
Port from - 80
Protocol - Both
IP Address - (IP address of webserver)
Port to - 80
Enable - check

OpenDNS

In order to filter internet content and be somewhat in control of what my kids have access to on the internet, I decided to use OpenDNS for DNS service instead of the default DNS my ISP provides.

After creating an OpenDNS account I made the following setup changes:

Setup - Basic Setup
Static DNS 1 - 208.67.222.222
Static DNS 2 - 208.67.220.220
Use DNSMasq for DHCP - check
Use DNSMasq for DNS - check
DHCP-Authoritative - check

To plug one of the holes used to get around these DNS filters I added the following command to the firewall:
Administration - Commands
Firewall
iptables -t nat -A PREROUTING -p udp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)
iptables -t nat -A PREROUTING -p tcp -i br0 --dport 53 -j DNAT --to $(nvram get lan_ipaddr)

In order to take full advantage of OpenDNS's filter capabilities, the router's WAN IP address needs to be registered with the OpenDNS account. But if the IP address changes (which is likely to happen with most ISPs) then the filter won't work. OpenDNS has a client-side application you can run on your computer that auto-updates the IP address with OpenDNS, or you can take advantage of the built-in functions of DD-WRT to do the same thing. See below.

Dynamic DNS

In addition to updating my dynamic IP address with OpenDNS, I wanted to have a human usable domain name to see my webserver or SSH to my router whenever I'm away from the network. So I need a domain name and a dynamic DNS service to keep track of my IP address.

First I registered a domain name with DynDNS (it's free). DD-WRT has the ability to interface with DynDNS and auto-update my IP address with them directly, but I also needed to register my IP with OpenDNS. The router can't manage both at the same time.

That's where DNS-O-Matic comes in, an awesome service, also provided by OpenDNS, that can update your dynamic IP with several dynamic DNS providers. After setting up my DNS-O-Matic account to forward my IP to both OpenDNS and DynDNS, I just need to setup the router for the one service.

Following the instructions from DNS-O-Matic:

Setup - DDNS
DDNS Service - Custom
DYNDNS Server - updates.dnsomatic.com
Username - (enter username)
Password - (enter password)
Hostname - all.dnsomatic.com
URL - /nic/update?
Force Update Interval - 10 (default)

Conclusion

DD-WRT has so much more functionality that I'm not using. It's a very interesting and exciting platform to play around with.

Sunday, March 22, 2009

Setting Up Shop

I received Setting Up Shop by Sandor Nagyszalanczy as a gift from my parents recently. I've been wanting to do a complete overhaul of my garage workshop since we moved here, but just never got to it. So I decided recently that this was the year I was going to try to make it happen. Since I'm only in the "dreaming" stage of the project right now, this was a very timely gift.

It's a great book for anyone in the planning stages of a workshop or just trying to get the best use out of an existing shop. Don't expect to find detailed plans and layouts though. It keeps ideas and plans general to be flexible to everyone's needs, budget, and workspace. It also covers pretty much every aspect of workshop design. While it's geared more toward a woodshop, many of the concepts could be applied to any kind of shop.

It has chapters on where to build a shop, construction, electrical, heating, equipment, layout, work areas, storage, dust collection, and safety. Each chapter is full of a variety of pictures that give great ideas on shop organization and construction for any shop, small or large. It covers everything from space saving tips for those working in a one-car garage to central dust collection for large pro shops. There are even charts for helping size equipment or design circuits.

I thought I knew enough from my own experience to take on this workshop redo without a problem, and I probably would have been okay. But this book has really helped fill in a few gaps and got me thinking about other ways of doing things that will really help me to make my future workshop even better. Thanks Mom & Dad!

Monday, March 16, 2009

Streaming Webcam Tinkering

Last Friday a friend showed me his chicken-cam. He got a wireless IP webcam and mounted it looking down into his chicken coop (currently just baby chicks in an indoor cage). That got me thinking (and something to do over the weekend). I had an unused PC sitting around that already had Ubuntu installed on it, and an old but decent webcam that I hardly use. I figured it wouldn't be too hard to put them both together and get some streaming video up and running. We've got some cockatiels sitting on some eggs right now. I could mount the camera there.

I had to make a trip into Portland on Saturday for a coin show (for David's coin collecting merit badge) and I was right next to Free Geek so I made a stop there to visit the thrift store. I picked up a couple USB webcams ($3 each) so I could use those instead of the better one I already have. These will be going into or on a bird cage and I'm not sure how well I'll be able to protect them...if you know what I mean. (I also picked up a 250GB drive for my Windows server for just $35, but that's not related.)

Stage 1: Getting the camera working in Ubuntu

Piece of cake. I plugged it in to the USB port. Done. Well, I actually did install some software just to make sure it worked.
   sudo apt-get install camorama

Camorama is just a simple webcam viewer. That's really all it does.

Stage 2: Install a webserver
   sudo apt-get install apache2 php5

I don't really have need of the PHP right now. I'm just slapping together some HTML pages to get things going. So, webserver...done.

Stage 3: Install Motion

Motion is a webcam application for linux that turns a simple webcam into a motion activated security camera. When it detects motion it will save still images and video to the hard drive for later viewing. It can be setup to take intermittent still shots. It will do timelapse videos. It even has a built in webserver for streaming video. Installing this was also a piece of cake in Ubuntu. I guess it's popular enough that it's available in the Ubuntu repositories.
   sudo apt-get install motion

Some minor modifications to the configuration files was needed. (Config files located in /etc/motion) The following changes were made, everything else was left as default. Explanations of each setting are giving in the config file. I set it up to run with 2 webcams.

motion.conf
   daemon on
framerate 2
max_mpeg_time 600
output_normal best
output_motion off
ffmpeg_cap_new on
ffmpeg_timelapse 60
ffmpeg_video_codec msmpeg4
snapshot_interval 60
target_dir /var/www/motion
webcam_port 8081
webcam_localhost off
control_port 8080
thread /etc/motion/thread1.conf
thread /etc/motion/thread2.conf

thread1.conf
   videodevice /dev/video0
text_left CAMERA 1
target_dir /var/www/motion/cam1
webcam_port 8081

thread2.conf
   videodevice /dev/video1
text_left CAMERA 2
target_dir /var/www/motion/cam2
webcam_port 8082

Running motion:

sudo motion -n

The -n option forces it into non-daemon mode (where it doesn't release the console so I can turn if off easier). I'll set it up to run automatically in the background once I get it setup exactly where I want it.

At this point I just started goofing around with it and having fun playing with the motion capture portion. Basically acting like a 13-year-old with some "spy" toys.

Once everybody was sick of me and I had had my fun it was time to move on to...

Stage 4: Get it streaming

The harder part.

It took some scouring of the web and looking at the code behind some example web pages to get this going. But with a little trial and error things worked out with less effort than I thought it was going to take.

I actually did get it streaming right away after installing Motion. But it didn't work quite right on Firefox (my browser of choice) and it wasn't embedded into a webpage the way I wanted it to. There was also no way it was going to be accessible outside my network without poking a bunch of holes in my firewall. No thanks. So I had to find another way. Other people were doing it. I figured it couldn't be all that hard.

Stage 4a: Installing a Java applet to make a clean and embedded stream.

The creator of Motion recommended Cambozola. I was thrown off by the install. It just involved a simple "move this directory to where you want it." Not what I was expecting, but it worked. I moved the whole thing to my /var/www directory.

The following code gets a nice looking stream onto a web page.

<applet code=com.charliemouse.cambozola.Viewer
archive=/cambozola-0.70/dist/cambozola6.jar
width=325 height=245
style="border-width:1 border-color:gray; border-style:solid;">
<param name="url" value="127.0.0.1:8081">
</applet>

Stage 4b: Get it working outside the network

The problem with the above code is that end value "127.0.0.1:8081". Any computer that is not the computer running Motion won't find anything at that address. I could change the address to the IP of the computer running Motion but then it only works inside my network. If I want to see the stream from anywhere outside my network I had to find another way.

Fortunately, the creator of Motion also made a nice little app that proxies the Motion webserver. MjpegProxyGrab. This install was very easy. Just follow the instructions on that page.

One mistake I made was not knowing where my cgi-bin was. I thought I could just make a cgi-bin in the /var/www directory. But when I tried viewing the web page I just got an error that the application couldn't be found. I dug through the server error log (/var/log/apache2/error.log) and found that it was looking in the wrong place. Instead of trying to redirect everything to the cgi-bin that I put in the wrong place I just moved the apps to the right bin in /usr/lib/cgi-bin. After that things were working perfectly. Use the new code to embed in a web page.

<applet code=com.charliemouse.cambozola.Viewer
archive=/cambozola-0.70/dist/cambozola6.jar
width=325 height=245
style="border-width:1 border-color:gray; border-style:solid;">
<param name="url" value="/cgi-bin/nph-mjprox?1">
</applet>

I do still need to figure out how to get the digital certificate warning to go away though.

Stage 5: Locate cameras and begin streaming

Actually, this stage is yet to come. I don't want to make too many changes to the nest right now while the birds are still tending the eggs. We don't want them to panic and abandon them. So I'm going to do this part later. Maybe after the eggs hatch. Meanwhile, I've got to find some other use for this new toy. Maybe we'll also do a butterfly-cam soon.

I also verified that the cameras can see infrared (I just pointed a TV remote control at the camera and could see the light emitted by the IR LEDs), so I plan to make a ring of IR LEDs to go around the lenses of the cameras for night viewing inside the bird nest. I just need to verify that cockatiels don't see infrared so they won't be disturbed by it.