Introduction

This guide will help you to get your B3 up and running with the latest release of Arch Linux.

Prerequisites

• A Serial Console Access on B3
• The latest community u-boot (Tips for flashing can be found here + here)
• A USB device with the Rescue System

The Arch part

Setting up the root device

There are several ways of doing this, depending on whether you are using a USB device or HDD as root device.
I'm going to assume that you are using a HDD.

Now - Boot up your Rescue System.

Once booted download the latest Arch tarball

 wget http://archlinuxarm.org/os/ArchLinuxARM-kirkwood-latest.tar.gz

Write a partitiontable on the device you want to use as root device

 cfdisk /dev/sd? # new -> primary

And format it as EXT4

 mkfs.ext4 /dev/sd?1

Now mount it and unpack the good stuff

 mount /dev/sd?1 /mnt
 tar xvf ArchLinuxARM-kirkwood-latest.tar.gz -C /mnt
 umount /mnt

If everything goes well you should have a bootable Arch system. (login root/root)

 [root@alarm ~]# uname -a
 Linux alarm 3.16.1-1-ARCH #1 PREEMPT Fri Aug 15 20:35:00 MDT 2014 armv5tel GNU/Linux

Last but not least, ReedWood has made a repository with B3 specific things for Arch, that you might want to take a look at.

I have Arch, now what?

Okay, you manage to install Arch on your Bubba. Congratulations! Now starts the configuration step, bringing your barely talkative device back to a functional router. The following steps are given as a guide to match a configuration similar to the one chosen by Excito. You may choose other configurations or technologies.

Prepare Network Interfaces

We'll first make sure our interfaces get a stable and useful name. This step is optional, but can prove quite useful in the long term. We simply use udev rules to fix interface names to our likings. Using ip link, identify the respective MAC address for the three network interfaces: LAN, WAN and Wifi. Then, create /etc/udev/rules.d/10-network.rules and write

 SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wan0"
 SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="lan0"
 SUBSYSTEM=="net", ACTION=="add", ATTR{address}=="00:11:22:33:44:55", NAME="wifi0"

replacing the corresponding MAC addresses. You may choose different names for your interfaces, just remember what you choose for the following configuration files.

Network Configuration

The netctl way

Netctl is a network configuration tool based on profiles, very powerful and that integrates well with systemd. It should be provided by default, if not install it.

 # pacman -S netctl

Profiles are created in /etc/netctl. We will create two profiles, one for the WAN (external) interface, another for the LAN (internal) network, assembling the ethernet port and the wifi together. Create a first file, named something like wan. Use the following if the Bubba needs a static IP on that network (here 192.168.0.x address space).

 Description='Interface to Internet'
 Interface=wan0
 Connection=ethernet
 IP=static
 Address=('192.168.0.2/24')
 Gateway='192.168.0.1'
 DNS=('192.168.0.1')
 SkipNoCarrier=yes

To get a dynamic IP, you don't need that much:

 Description='Interface to Internet'
 Interface=wan0
 Connection=ethernet
 IP=dhcp
 SkipNoCarrier=yes

Now, let's configure the internal network. We will create a bridge, called br0, assembling lan0 and wifi0 in a virtual unique interface. First, install the required bridging tool:

 # pacman -S bridge-utils

Netctl will take care of the rest. Create a profile named to your likings, i.e. bridge.

 Description="LAN/Wifi Bridge connection"
 Interface=br0
 Connection=bridge
 BindsToInterfaces=(lan0) # hostapd will add wifi0 automatically
 IP=static
 Address=('192.168.1.1/24')

Now, start the profiles

 # netctl enable wan
 # netctl enable bridge

If you don't want to reboot, you can try

 # udevadm control --reload-rules
 # udevadm trigger --attr-match=subsystem=net
 # netctl start wan
 # netctl start bridge

but remember that it won't play nice if you're connected through SSH!

The systemd networkd way

All my attempts to understand this daemon failed miserably until now, so someone else, please write this section. :)

Wifi Access Point

Let's now setup the software access point, which will allow other devices to connect to the internal network using the wifi. We'll use hostapd for this, and configure it to create a WPA2 protected access point. However, the Bubba by itself doesn't generate enough entropy for all the cryptology needs, which would make the network rather slow. So we'll also need to install haveged, an entropy generator daemon.

 # pacman -S hostapd haveged

The configuration of hostapd happens in /etc/hostapd/hostapd.conf. Here is a sample configuration:

 ssid=<your network name>
 # Use one of the following two lines
 #wpa_passphrase=<the clear text wifi password>
 wpa_psk=<generated by "wpa_passphrase <SSID> <password>">
 interface=wifi0
 bridge=br0
 auth_algs=3
 country_code=SE # Unlock channels for your country, here germany
 channel=7       # Channel to use (best performance when 2 channels away from other used channels in the neightbourhood)
 driver=nl80211
 hw_mode=g
 logger_stdout=-1
 logger_stdout_level=2
 max_num_sta=5
 rsn_pairwise=CCMP
 wpa=2
 wpa_key_mgmt=WPA-PSK
 wpa_pairwise=TKIP CCMP

You can find more options there: commented hostapd.conf. wpa_passphrase is included in the wpa_supplicant package, but it can be run from your own PC, it is not required on the Bubba.

You're ready to activate the services.

 # systemctl enable hostapd
 # systemctl enable haveged
 # systemctl start haveged
 # systemctl start hostapd

NAT and Firewall

Using Shorewall

The Shoreline Firewall is a simple to use overlay to iptables, yet powerful. Its configuration is done in /etc/shorewall in several files. For a good start, we'll pull the template for a typical two-interfaces configuration.

 # cp /usr/share/doc/shorewall/Samples/two-interfaces/* /etc/shorewall/

Now, let's look in /etc/shorewall. In the file interfaces, you map network interfaces with shorewall's zones. Later, we will define rules between zones.

 #ZONE   INTERFACE       OPTIONS
 net     wan0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0,arp_filter=1
 loc     br0             tcpflags,nosmurfs,routefilter,logmartians

You may review the options I suggest according to your needs refering to the shorewall-interfaces manpage. I consider the net zone to be the hostile Internet, and the loc zone as the private network. ARP who-has requests coming from the Internet are not supposed to be able to discover devices on the private network. If you have a static IP on the wan interface, remove the dhcp option from the net zone. If you plan to have a DHCP server on the Bubba, activate the dhcp options on the zones the server will server (probably only loc).

The policy file should already be configured to allow the traffic to go from loc to net. However, by default the firewall itself (the Bubba) may not access the Internet. To change this, modify the file:

 #SOURCE       DEST          POLICY         LOG LEVEL      LIMIT:BURST
 
 $FW           net           ACCEPT
 loc           net           ACCEPT
 net           all           DROP           info
 # THE FOLLOWING POLICY MUST BE LAST
 all           all           REJECT         info

To activate masquerading, modify the file masq to replace the name of the interface (eth0) to the one you actually use as outgoing interface (wan0).

Edit the rules file to allow the necessary services. The following two lines show as example how to enable SSH on the usual port (22) for local connections, and on an alternative port for connections coming from the Internet (your SSH server has to be configured accordingly).

 SSH(ACCEPT)     loc       $FW
 ACCEPT          net       $FW       tcp      8022

Last but not least, enable Shorewall by changing the first option in /etc/shorewall/shorewall.conf:

 STARTUP_ENABLED=Yes

Activate the firewall:

 # systemctl enable shorewall
 # systemctl start shorewall