Trikarus uses Freifunk firmware router to build up a network which can be used remotely. The router can be accessed from outside by SSH or just by another Freifunk router, also by SSH. You can also access the Freifunk router by the connected Raspberry Pi which has external connection with wireguard. This allows to build a long communication road (client computer → Wireguard server → Wiregard client @ Raspberry Pi → Freifunk router)
Reasons to access Trikarus devices from external / outside
- Access to the web services (Raspberry Pi, Repetier Server, Duet Web Control, Grafana, InfluxDB, webcam, ...)
Access to the Freifunk node via SSH key
Freifunk router can be accessed from wide web and from localhost network over IPv6. Using the IPv4 network does not work (either from localhost nor from outside). This was tested from different clients with result of a "permission denied". Guess it's a configuration setting in dropbear which i did not change and which i don't want or need to change.
- Hardware: Router TL-WR842N by TP-Link
- Firmware: firmware.chemnitz.freifunk.net/chemnitz/stable/factory/gluon-ffc-b20171101%2Brly20200120%2Bv2017.1.8-tp-link-tl-wr842n-nd-v3.bin
Configuring device name
It might happen that the router is up and running fine but time is not up to date. If the time is not set properly cronjobs will fail.
We can get latitude and longitude by mapcoordinates.net for example.
Remove unrequired SSH keys from unkown admins
- it seems that Ed25519 key pairs on Freifunk Gluon using dropbear, which were generated with KiTTY Keygen and uploaded to server + client, cause undefinable bugs with SSH connection. RSA key pairs work properly.
- IPv6 sometimes fails so router is not always available from regular web. SSH sometimes fails to access from outside which makes it harder to maintain.
- Freifunk Chemnitz does not work in other cities. It cannot easily mesh to other Freifunk nodes than. A better approach to be fully mobile would be use a router with SIM card or to have some WAN access to plug an uplink cable into the router. Maybe another device could be utilized with IC-VPN
- Meshing is often unstable when TQ (transfer quality) value is low. It results in dropping packages and lower bandwidth
DNS / resolving of hostnames
device names / host names are not announced in Freifunk network to have better anonymity. There is only IPv4 and IPv6 to communicate (e.g. "nslookup 10.149.11.71" returns "Server: UnKnown"). To get all devices from .ffcmesh you can run arp-scan from any Windows or Linux client. This way it can be monitored device availibility from outside by comparing recent IP addresses with fixed MAC addresses.
Private SSID (second SSID next to chemnitz.freifunk.net)
Switch mode vs mesh mode and over night security
In default mode the Freifunk router lets connect all Wifi and LAN clients to the Layer 2 switch of the Freifunk net. Sometimes this is unstable and even local clients cannot connect to each other on the same local switch. Furthermore it's possible to do port scans from all other Freifunk nodes to the locally connected devices (exposed hosts). To prevent attacks and port scans over night, the idea is to disable the Raspberry Pi and Duet devices to be in Freifunk network in a defined time slot. To do this we can move the eth0 interface from LAN to WAN. Then they will talk only like at a regular switch and they will have no access to the internet. The switching mode defaults the locally connected devices (Raspberry Pi, Duet, client computer) to be in IP range 169.254.XXX.XXX instead of 10.149.XXX.XXX.
- Network overview and hardening
- Duet Web Control and Repetier Server Macros
- Duet 2 and Duet Web Control
Mode swichting manually
Check the current state
WAN at all LAN ports (change to local switch mode)
Client network on LAN ports (undo switch mode → restore defaults)
As all-in-one command from hangdevice
This is configured as alias "swimo" in /root/.bash_aliases
To switch back from switch mode to mesh mode you need to connect to the router from outside localhost! You should be able to do this by just connecting to chemnitz.freifunk.net by Wifi instead by LAN.
Over night change to swichting mode
The scripts as crontab
In Gluon there is no /etc/cron.d directory
For better debugging we can also try to grab the output by accessing Freifunk router externally using ssh. Because dropbear ssh has no rsync we cannot use rsync synchronization between hangdevice and Freifunk router. But we can use regular ssh command to do like this:
USB slot / mount point
Note: USB devices on the Freifunk router are not directly possible to workby default, but can be activated later via detours. This requires a deeper recofiguration.