OpenWrt Barrier Breaker metarouter instance on MikroTik RB-2011

posted by on 2015.01.10, under collected, configuration, general, networking


While looking around for a new router for my home network I stumbled over the RB2011UiAS-2HnD-IN produced by MikroTik. It uses a AR9344-DC3A-R SOC (@600Mhz) and offers a broad range of interfaces:

  • 5x 1Gbit copper ports (+ 1x SFP copper/fiber)
  • 5x 100 MBit copper ports
  • 128 MB of RAM and FLASH
  • 802.11 b/g/n wireless interface
  • a micro USB 2.0 port (that can be used to attach storage using an OTG cable)
  • a small color touch display
  • a CISCO-style RJ45 console port

All that is covered by a solid metal chassis and sold for ~120 € – not that bad.The LINUX-based routerOS offers an intuitive CLI – but there is no way to install private packages. So I had a look at to check if OpenWrt is running on this thingy… – it does. But after digging a little bit deeper I found something really awesome: it is possible to run up to 7 virtual instances of OpenWrt on top of the router OS using a mechanism called Metarouter. And each of the instances can be connected to the environment (the external network / other instances, …) using

  • the physical network ports of the router and
  • virtual interfaces connected to other virtual/physical interfaces using (LINUX-) bridges.

That creates the ability to reduce the footprint of my hardware infrastructure significantly by using (buzzword mode on) consolidation via virtualization (buzzword mode off). In fact, by using Metarouter(s) I’m able to replace two „fat“ routers (one running a public access point [currently a WRT 54G], another on used inside our home network [a TPLINK WR1043ND]) and a smaller one (TPLINK 703N) running my private JABBER server by one box. And the concept of having bridges connecting virtual and physical interfaces makes the whole setup a way easier to handle (splitting the network into a private and public network using just one WRT54G + OpenWrt was no fun). And at the end of the day I can keep all my configurations used in the old OpenWrt based setup…

The sad thing: MikroTik only provided support (by publishing patches) for OpenWrt up to Backfire (10.3, first release in 4/2010, 2.6.31) – and I was not able to find any sign that they will continue. Happily liquidcz from the MikroTik forum was able to create a patch usable for Attitude Adjustment (12.09, 4/2013, kernel 3.3). This worked fine – but the successor of AA – Barrier Breaker (10/2014, kernel 3.10.49) brought lots of updates (mainly related to the packages – but also to the kernel). I picket up liquidcz patch and adapted it to be usable with Barrier Breaker. And it was easier then expected :). So this is the outline on how to build OpenWrt Barrier Breaker to be used as a virtual instance on a MikroTik router:

build the firmware image for Mikrotik metarouter

git clone git:// barrier_breaker
cd barrier_breaker
patch -p1 < ../openwrt_metarouter_1407.patch
make defconfig
make prereq
make menuconfig
# select 'Mikrotik MetaROUTER MIPS' as target system; save and exit, build...
make -j $(nproc)

The created image is placed in bin/mr-mips/.

build additional packages

./scripts/feeds update -a
./scripts/feeds install -a
make menuconfig
# select the packages you need and run make again...
make -j $(nproc)

You can find the packages in bin/mr-mips/packages/.

build all packages

# the option CONFIG_ALL=y (build all packages) didn't work for me
# I removed all packages and re-installed them using the flag -d m - default for newly installed packages
./scripts/feeds remove -a
./scripts/feeds install -a -d m
make -j $(nproc)

trouble shooting

  • if a build using make -j $(nproc) fails, rerun with make -j1
  • if it still fails, rerun with make -j1 V=s
  • if the builder is not able to fetch a packet, check if you could find another source and adapt the Makefile located in the packages// director

Since the flash storage of the router is accessible via FTP, the created image can be pushed down to the device using curl…

curl -T openwrt-mr-mips-rootfs.tar.gz --user admin:

Creating a virtual instance on the router is done using CLI metarouter command:
[admin@MikroTik] > metarouter import-image file-name=openwrt-mr-mips-rootfs.tar.gz
imported: 100%

looking up /rw/vm/8
[admin@MikroTik] > metarouter print
Flags: X - disabled
0   mr8  16MiB         unlimited       6711kiB   running

[admin@MikroTik] > metarouter console mr8
BusyBox v1.22.1 (2015-01-10 00:19:59 CET) built-in shell (ash)
Enter 'help' for a list of built-in commands.

_______                     ________        __
|       |.-----.-----.-----.|  |  |  |.----.|  |_
|   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
|_______||   __|_____|__|__||________||__|  |____|
|__| W I R E L E S S   F R E E D O M
BARRIER BREAKER (Barrier Breaker, r43889)
* 1/2 oz Galliano         Pour all ingredients into
* 4 oz cold Coffee        an irish coffee mug filled
* 1 1/2 oz Dark Rum       with crushed ice. Stir.
* 2 tsp. Creme de Cacao
root@OpenWrt:/# free
total         used         free       shared      ...
Mem:         13480        10468         3012
-/+ buffers:              10468         3012

As you could see, BB is very demanding in the context of memory (even a stripped BB firmware – more or less all services from the default image removed, no IPv6 support – needs at least 9 MB). Since the stock router offers ~110 MB of free RAM you can easily run up to 4 instances where each uses 24 MB.

The setup of network interfaces is well documented in the metarouter manual and straight forward.

If you need to store a lot of data you can use the micro USB port to attach any USB storage using an OTG-cable:

[admin@MikroTik] > store disk print
Flags: S - system
0 S system 126976KiB      43440KiB ready
1   usb1    985192KiB     967532KiB ready

IMPORTANT: The USB drive must be formated with the (proprietary) MetaFS filesystem – so all data on the USB drive is lost.

Since the storage of the router is exported via FTP, curlftpfs can be used to mount a folder located on the attached USB drive into the local file system of an OpenWrt instance. Do not try to abuse the system as NAS device – the storage access eats the CPU (if you do a file transfer to the USB storage the CPU usage goes up to 100%).

ressources / links

original patch created by liquidcz: here

patch for Barrier Breaker: openwrt_metarouter_1407.patch

default fw image (Barrier Breaker, r43889): openwrt-mr-mips-default-image-rootfs.tar.gz

lowered memory footprint: openwrt-mr-mips-small-image-rootfs.tar.gz

image builder: OpenWrt-ImageBuilder-mr-mips-for-linux-x86_64.tar.bz2

binary packages: here


Have phun!

collected: SELinux-module example for mod_tile

posted by on 2012.02.05, under collected, configuration, linux, security

For a project@work I had to setup an open street map server on Scientific Linux 6.1 (64 bit) for rendering the map of the BRD. For this I installed all needed components – and run into big trouble with mod_tile. This module is responsible for taking queries for map-tiles from the apache, forward it to the render daemon and deliver the images back. mod_tile and renderd communicate via an unix socket. And SELinux prevents mod_tile – that runs in the context of httpd – to access the socket. A short grep of the web gives a general answer: disable SELinux. Since SELinux was also a long time common problem to me (yes, I used echo „0“ > /selinux/enforce some times) I decided to accept the challenge… and after reading a lot I got a solution:=).

The following description should work in general if you have trouble with „access-denied-by-SELinux“-problems. The process is quite easy: use the output of the SELinux-audit-logging for create a probate module. Step by step:

0. be sure that SELinux is your problem. Maybe you got error messages like „permission denied“ when accessing files – and you already give full access via chmod/ (if the application gives no output use strace and grep for EACCES, use -e trace=… to filter systemcalls) and/or set the correct security context by chcon/restorecon. Have a look at the boolean shortcuts (getsebool -a | grep ) to check if there is an option to permit the needed action/access.

1. check SELinux-audit-log (/var/log/audit/audit.log) for entries that are related to your problem. If there is nothing enable audit by restart your machine with an additional kernel parameter audit=1. For mod_tile we captured 2 entries:

type=AVC msg=audit(1328183212.312:383): avc:  denied  { connectto } for  pid=2314 comm="httpd" path="/var/run/renderd/renderd.sock" scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1328182336.427:158): avc:  denied  { write } for  pid=2017 comm="httpd" name="renderd.sock" dev=sda2 ino=2097727 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=sock_file

Put the relevant entries into a separate file like audit.out. module the long way – so you see what happens…

/*build the module description aka "the source" into apachemodtile.te*/
#>cat audit.out | audit2allow -m apachemodtile > apachemodtile.te
#>cat apachemodtile.te
module apachemodtile 1.0;
require {
type unconfined_t;
type var_run_t;
type httpd_t;
class sock_file write;
class unix_stream_socket connectto;
#============= httpd_t ==============
allow httpd_t unconfined_t:unix_stream_socket connectto;
allow httpd_t var_run_t:sock_file write;

/*build the binary module apachemodtile.mod*/
#>checkmodule -M -m -o apachemodtile.mod apachemodtile.te
/*build a SELinux policy module package in apachemodtile.pp*/
#>semodule_package -o apachemodtile.pp -m apachemodtile.mod

2b. use audit2module – does all of 2a in one step:

#>cat audit.out | audit2allow -M apachemodtile

3. install the module permanently:

/*modul goes (SL61) to /etc/selinux/targeted/modules/active/modules/apachemodtile.pp*/
#>semodule -i apachemodtile.pp

After this mod_tile was able to connect to the socket of the renderd. Quite easy 🙂

Fedora 14 & GRUB2

posted by on 2011.02.19, under bootloader, configuration, linux

Forced by a project@work I had to install GRUB2 in Fedora 14. Here is a simple description of what I have done to got it running:

1. install the new „grand unified bootloader package“ by

#>yum install grub2 gettext

Attention: at this time, Fedora uses multislot – GRUB Legacy (0.9x) and GRUB2 could be installed parallel.

2. edit/create the new /boot/grub2/grub.cfg

2.1 My old /boot/grub/grub.conf looks like:
title GNU GRUB 2, (1.98)
    kernel /grub2/core.img
title Fedora (
    root (hd0,0)
    kernel /vmlinuz-2.6.35-45.fc14.i686 ro root=UUID=<25d8da7f-a-realy-big-uid-e20c61d3f977
    initrd /initramfs-2.6.35-45.fc14.i686.img

In the snipped above you could see that GRUB2 is allready inserted into the grub.conf of your old GRUB. You could use it for boot into the GRUB command-line.

2.2. create a new grub.cfg
Important: in GRUB Legacy (the old GRUB) the partition-numbering starts with 0. In GRUB2 the numbering starts with 1. So hd0,0 from above becomes hd0,1 eg.
Check/note on witch device/partition your /boot and root is located and witch UUID it has assigned (mount gives you the device /dev/sd…, blkid the associated UUID), sample:
/dev/sda2 on / type ext4
/dev/sda1 on /boot type ext4
/dev/sda1: UUID="b3d32...733b" TYPE="ext4"
/dev/sda2: UUID="25d8d...f977" TYPE="ext4"

3. Now run
 #>grub2-mkconfig -o /boot/grub2/grub.cfg

The output is placed into /boot/grub2/ – do a cat on it and compare the UUID for /boot and root with the ones from above (and maybe compare against your old grub.conf) … and yes, hd0,0 is now hd0,1 .

4. The final step: install the new GRUB on the disc…
First only test that everything is fine… (without writing to MBR assuming the target drive is /dev/sda):
#>grub2-install --grub-setup=/bin/true /dev/sda
Installation finished. No error reported.

Now lets use the real bullet:
#>grub2-install  /dev/sda
Installition finished. No error reported.

5. Finally

And it works. For me. Now.

GRUB2 offers 1000nds new possibilities (ohh, it has a LUA-shell, there is module-support, submenus, theming, …)

For learning: boot the core.img, load kernel and ramdisk by hand. boot. check console commads ls & cat.

Have a look at: