Thursday, August 4, 2016

Using Arch Linux as router/firewall on the Raspberry Pi3

The last post I explained how I got a Raspberry Pi3 to work as a wifi router/firewall using Gentoo Linux. So this post I will explain how to configure Arch Linux on the RPI3.

OS Install

There is no downloadable images for the RPI at the official Arch Linux site. The ARM port for Arch is maintained independently at the Arch Linux ARM site. The instructions for setting the SD card for the RPI3 are pretty simple and straightforward. The only addition there is needed is to add the following lines to the /boot/config.txt file if you want to use a serial console.


The RPI3 should boot normally and if you are using a serial console there should be no issues. Once Arch boots update your system by entering pacman -Syu. It should not take long then proceed to setting up the interfaces.

Interface Configuration

The documentation to set up the network interfaces can be found here. These are the steps.

First cd to the /etc/systemd/network directory. There you see a file called This file controls how the interface is set up. Remember that the RPI3 changes its MAC address after every reboot. So this part needs to be added to the file to prevent this.

MACAddress=current mac address

The current mac address can be found with the command ip link. Then to set up the wlan0 interface, make a copy of the file and call it with cp Next make the following changes.


Address= or whatever ip scheme you choose

MACAddress=current mac address

Finally reload the systemd-networkd servivce with the command systemctl restart systemd-networkd and the wlan0 interface will come up.

Networking, DHCP, and DNS Configuration

In order to enable networking copy the /usr/lib/sysctl.d/50-default.conf file to /etc/sysctl.d/ directory. Then add these lines at the end.

# Enable routing
net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

Restart sysctl with sysctl -p /etc/sysctl.d/50-default.conf and routing is enabled.

I used dnsmasq for both DHCP and as a local DNS resolver. Install the package by entering pacman -S dnsmasq. Then take the default /etc/dnsmasq.conf file and back it up with mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak. Create a new /etc/dnsmasq.conf file and add the following.


If you try to start the service now it will fail. This is because systemd has it own resolver that will conflict with dnsmasq. This needs to be disabled before you proceed by doing this.

systemctl stop systemd-resolvd
systemctl disable systemd-resolvd

Afterwards add these lines or similar to /etc/resolv.conf


Finally you can enable dnsmasq.

systemctl enable dnsmasq
systemctl start dnsmasq

Hostapd Configuration

Install hostapd with  pacman -S hostapd. Then like with dnsmasq make a backup of the default config file and create a blank one and add the following.


Then enable the service.

systemctl enable hostapd
systemctl start hostapd

iptables Configuration

The setup of iptables is pretty similar to what was done on the Gentoo post with some differences. Here are my rules.

iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -I INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A INPUT -i wlan0 -j ACCEPT
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
iptables -I FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
iptables -A FORWARD -s -i wlan0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

These rules need to added to the /etc/iptables/iptables.rules file or systemd will not start the service. This is done with the command iptables-save > /etc/iptables/iptables.rules. Then enable the service.

systemctl enable iptables
systemctl start iptables

This should be all you need to get the RPI3 working as a wifi router with Arch Linux.

Final thoughts on systemd

Arch Linux uses systemd as its init system. It is a significant change from the init systems found in other Unix operating Systems (ie the BSDs) as well OpenRC that Gentoo Linux uses. A lot has been written over the change to systemd and the benefit or hurt it has brought to Linux. If you want to read more on it a simple google search will suffice. Here are some of  my thoughts. I have set up routers/firewalls both physical and virtual using Gentoo, FreeBSD, NetBSD, and OpenBSD. In everyone of these OSs the init system did not get in my way. Setting up the services was straightforward, the documentation was easy to find and digest. I did not have that experience with systemd. As a Linux user when the Distros I used moved to systemd, I really did not see what all the fuss was about. I heard how some sysadmins were just not happy at how systemd was in their words 'taking over everything'. It wasn't until I tried to set networking on a distro that used systemd that I began to see their point. Systemd really does reach into a lot. It has its own local resolver that you need to disable if you want to set dnsmasq. The Arch Linux Router page on the wiki does not tell you this or at least let you know how to check beforehand. Setting up the interfaces was not straight forward. Should I use netctl or systemd-networkd? I want to be fair. Once I sifted through the docs I was able to get everything work. Now if I need to do this again I can go through the steps fairly quickly. However with other init systems there was very little sifting needed (if any) and I did not run into the gotchas that I did with systemd. I am not trying to be a systemd hater, what I am saying is that is very different. As systemd grows in adoption makers and administrators of Linux based network appliances will probably need relearn how to set up their systems. 

Tuesday, August 2, 2016

Making a router/firewall with Gentoo and Raspberry Pi3

I have small growing collection of Raspberry Pi2s and 3s to tinker with. ARM SoCs (System on Chips) are low powered yet very resourceful machines. I find these boards really neat to work on. I will show how to take a RPI3 and turn it into a wifi router. I chose the RPI3 over the RPI2 b/c the RPI3 has integrated wifi. The RPI2 needs a USB wifi dongle, which means it is competing with the ethernet port since USB and ethernet share the same system bus. The RPI3 has a separate bus for the integrated wifi which means better performance.

OS Install

Since I am big fan of Gentoo Linux I chose it as the OS for my router. The Gentoo Wiki has fantastic documentation and was a tremendous help in getting the router working. There is a quick start guide in the wiki that will get your SD card ready.

I use a serial console to access the device. Now since the RPI3 has bluetooth there extra work needed to get console access via serial. This has been documented here. Gentoo needs the following.

First you have a /boot/cmdline.txt file with the folllowing:

gentoo-rpi3 rican-linux # cat /boot/cmdline.txt
dwc_otg.lpm_enable=0 console=ttyAMA0,115200 root=/dev/mmcblk0p2 rootfstype=ext4 elevator=deadline rootwait

Then you need a /boot/config.txt file with the follwing:

gentoo-rpi3 rican-linux # cat /boot/config.txt
# See /boot/overlays/README for all available options

gpu_mem = 64

Finally you need to edit the following section of the /etc/inittab file

s0:12345:respawn:/sbin/agetty -L 115200 ttyAMA0 vt340
#s0:12345:respawn:/sbin/agetty -L 9600 ttyS0 vt100

#s1:12345:respawn:/sbin/agetty -L 9600 ttyS1 vt100

With these files in place you should be able to insert the SD card, connect the serial console to the GPIO pins and the OS should boot.

Initial setup

Once you are in you will want to set a root password and update the system. Before the update is performed be sure /etc/portage/make.conf is set the way you want it. Here is my setup:

gentoo-rpi3 rican-linux # cat /etc/portage/make.conf
# These settings were set by the catalyst build script that automatically
# built this stage.
# Please consult /usr/share/portage/config/make.conf.example for a more
# detailed example.
CFLAGS="-O2 -pipe -march=armv7-a -mfpu=vfpv3-d16 -mfloat-abi=hard"
# WARNING: Changing your CHOST is not something that should be done lightly.
# Please consult before changing.

# This sets the language of build output to English.
# Please keep this setting intact when reporting bugs.

Then execute the following commands

emerge --sync
Emerge -avuND @World

This should take a while since Gentoo compiling all the packages from source. Once this is completed you will need to install the linux-firmware package. This is done by typing emerge -av linux-firmware. Finally reboot.

Wireless and Ethernet interface setup

Once Gentoo reboots verify the wireless interface is recognized by entering ifconfig -a. If there is no wlan0 interface then run the following command dmesg |grep brcmfmac. If you see the following then the kernel is not loading the proper firmware:

[    8.963114] brcmfmac_sdio mmc1:0001:1: Direct firmware load for brcm/brcmfmac43430-sdio.bin failed with error -2
[    9.968646] brcmfmac: brcmf_sdio_htclk: HT Avail timeout (1000000): clkctl 0x50
[   10.978751] brcmfmac: brcmf_sdio_htclk: HT Avail timeout (1000000): clkctl 0x50

If this occurs first verify that wireless firmware is in the /lib/firmware/brcm directory. If the files are there then try reloading the kernel module. This by done by entering the following commands:

modprobe -r brcmfmac
modprobe brcmfmac

Then run ifconfig -a again to see if wlan0 is recognized. If not then download and install the latest brcm firmware files from the RPI github site. Once the the files are copied to /lib/firmware/brcm reload the kernel module again. The wlan0 interface should be recognized.

Now it is time to configure networking. Gentoo use OpenRC as its init system. OpenRC uses the /etc/conf.d/net file to manage the network interfaces. I will post my config file and then explain:

gentoo-rpi3 rican-linux # cat /etc/conf.d/net
# Set mac address on interfaces
mac_eth0 = "b8: 27: eb: 25: 89: 1e"

# wlan0 settings
modules_wlan0="!iwconfig !wpa_supplicant"
config_wlan0=" netmask"

The first section sets the mac address of the interfaces. The RPI3 assigns a new mac address to the interfaces after every reboot. This first section will keep that from happening. The next section defines the wlan0 interface.

The first line is what is needed to set wlan0 as an AP. The second line set the ip address of the interface.

Before we activate the interfaces verify that the /etc/resolv.conf is not symlinked to the resolv.conf file found in /lib/systemd by typing ls -l /etc/resolv.conf. If this is the case then unlink the file by typing unlink /etc/resolv.conf.

Finally activate the interfaces.

cd /etc/init.d
ln -s net.lo net.eth0
ln -s net.lo net.wlan0
rc-update add net.eth0 default
rc-update add net.wlan0 default
/etc/init.d/net.eth0 start
/etc/init.d/net.wlan0 start

DHCP, DNS, and Hostapd configuration

A simple dhcp server to use is dnsmasq. It is installed by entering emerge -av dnsmasq. When you install the package there is a default dnsmasq.conf file created in /etc.  Make a backup of the file with mv /etc/dnsmasq.conf /etc/dnsmasq.conf.bak.  Now create a blank config file with nano -w /etc/dnsmasq.conf and something similar to what is below.

gentoo-rpi3 rican-linux # cat /etc/dnsmasq.conf

This will take care of both dhcp and dns setting for users who join the AP. 

AP configuration is controlled by hostapd. Installing the daemon is done by  typing emerge -av hostapd.  Like dnsmasq create a backup file for the /etc/hostapd/hosapd.conf file. Here is sample of the config file.

gentoo-rpi3 rican-linux # cat /etc/hostapd/hostapd.conf
rsn_pairwise = CCMP

Finally enable these services.

/etc/init.d/dnsmasq start
rc-update add dnsmasq default
/etc/init.d/hostapd start
rc-update add hostapd default

iptables set up

If someone wants the RPI to have the ability to NAT and packet filter then iptables is the tool. It will allow through a series of rules to allow, block, NAT and host of other features that Gentoo has documentation on its iptables wiki, Security Handbook, and Home Router wiki. Iptables is very powerful so be careful when you are editing policies via ssh or you will kick yourself out. For the initial setup I would recommend doing it from the serial console and then testing your rules before saving.

The first thing to do is clear iptables and the nat table before starting. This is done by doing the following.

gentoo-rpi3 rican-linux # iptables -F
gentoo-rpi3 rican-linux # iptables -t nat -F
gentoo-rpi3 rican-linux # iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination      

Chain FORWARD (policy DROP)
target     prot opt source               destination      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      
gentoo-rpi3 rican-linux # iptables -t nat -L
target     prot opt source               destination      

Chain INPUT (policy ACCEPT)
target     prot opt source               destination      

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination      

target     prot opt source               destination

The first two commands clear the table and second two lists the table. Now that it is verified that the tables are flushed lets begin.

We will is setup packet filtering then move on to NAT. Defining the default policy for the 3 chains that iptables uses is the first thing to do. These chains are INPUT, FORWARD, and OUTPUT. The INPUT chain controls what traffic is allowed to connect to your firewall. FORWARD controls what traffic you allow through the firewall. OUTPUT controls what traffic the firewall sends out. This is how you set this up.

gentoo-rpi3 rican-linux # iptables -I INPUT -p TCP --dport ssh -i eth0 -j ACCEPT
gentoo-rpi3 rican-linux # iptables -P INPUT DROP
gentoo-rpi3 rican-linux # iptables -P FORWARD DROP
gentoo-rpi3 rican-linux # iptables -P OUTPUT ACCEPT
gentoo-rpi3 rican-linux # iptables -vL
Chain INPUT (policy DROP 19 packets, 1729 bytes)
 pkts bytes target     prot opt in     out     source               destination      
  423 28968 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      

Chain OUTPUT (policy ACCEPT 135 packets, 13152 bytes)
 pkts bytes target     prot opt in     out     source               destination

If you were doing this via the serial console then the first (which allows ssh traffic to the eth0 interface) rule could be entered later. However if you were editing your policy via shh coming in on the eth0 interface, then you need to add this rule before you lock down your policy. I set the INPUT and FORWARD policies to DROP and the OUTPUT policy to ACCEPT. This setting will mean that any connection that I want to allow to the firewall or through the firewall I need to define or else the firewall will drop it. However any connection the firewall sends out will be allowed.

Now that the default policies are set we can set out access rules.

gentoo-rpi3 rican-linux #iptables -I INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
gentoo-rpi3 rican-linux #iptables -I INPUT 1 -i wlan0 -j ACCEPT
gentoo-rpi3 rican-linux #iptables -I INPUT 1 -i lo -j ACCEPT
gentoo-rpi3 rican-linux # iptables -I FORWARD -i wlan0 -s -j ACCEPT

gentoo-rpi3 rican-linux # iptables -A FORWARD -i eth0 -d -j ACCEPT
gentoo-rpi3 rican-linux # iptables -vL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      
  624 48671 ACCEPT     all  --  any    any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  lo     any     anywhere             anywhere          
  111  7392 ACCEPT     all  --  wlan0  any     anywhere             anywhere          
 4298  305K ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:ssh

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination      
 1338 82115 ACCEPT     all  --  wlan0  any       anywhere          
  136 82600 ACCEPT     all  --  eth0   any     anywhere       

Chain OUTPUT (policy ACCEPT 47 packets, 5574 bytes)

These rules allows the wlan0 network ( to pass through the firewall to anywhere. Now to access the public internet, the local network ( needs to be hidden by the public ip address of your router/firewall (in this case eth0). This is done through a process call Network Address Translation (NAT). When an entire network is translated into one public address this is called Dynamic NAT or Hide NAT. The setup is pretty simple.

gentoo-rpi3 rican-linux # iptables -t nat -I POSTROUTING -o eth0 -j MASQUERADE
gentoo-rpi3 rican-linux # iptables -t nat -vL
Chain PREROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 MASQUERADE  all  --  any    eth0    anywhere             anywhere 

The NAT table has two additional chains PREROUTING and POSTROUTING. PREROUTING defines how the router/firewall will nat the traffic before it makes it forwarding decision. POSTROUTING defines how the router/firewall will nat the traffic as its being forwarded out the device. Since a Hide NAT is for outbound traffic it is added to the POSTROUTING chain.

Now just add your devices to the wifi network and you should have connectivity. If you want to see what devices are on your wifi network run the command iw dev wlan0 station dump.

UPDATE I: I forgot to explain how to save your iptables changes so they will be persistent after reboots.

/etc/init.d/iptables save
rc-update add iptables default

UPDATE II: You will need to enable routing by adding the following lines to /etc/sysctl.conf then running the command sysctl -p.

net.ipv4.ip_forward = 1
net.ipv4.conf.default.rp_filter = 1

Tuesday, July 5, 2016

Living the Gentoo life!

It was a while back when I did my Gentoo review on my iBook G4. I was really liked how well it performed but the one drawback was the compile time. Well I have decided to run with Gentoo again. This time I am using my PowerBook G4 (it is back from the dead!!) and my PowerMac G5. It has been a few weeks and it has been both challenging and fun. Pretty much everything I did in my previous review was the same but I would like to take some time and go over some specifics.

Kernel Compiling

When it comes time to compile your kernel, there are two commands that will give you what you need to have a bootable kernel. Then you can go in and make your tweaks.

G3 and G4 machines use: make pmac32_defconfig
G5 machines use: make g5_defconfig

Now that you have your base kernel you can use make menuconfig to make your needed edits. Be sure to follow the Gentoo PPC FAQ for the graphics and sound sections. If you follow that then you should be ok with the kernel. If I would have started using defconfigs from the begging I would have saved hours of work!


The latest version of yaboot is broken and if you try to use to install the boot loader you will not be able to boot. Thankfully the version of yaboot on the live cd works fine and here is how you use it.

First you need to have your fstab file set up. The PPC:Handbook's filesystem section covers this well. At this point of the install you are still chroot in you new enviroment, now you are going to leave by entering exit. Once you are out to set up yaboot use this command: yabootconfig --chroot /mnt/gentoo. Just answer the questions provided and you should have a working yaboot.conf file. Finally since this will be the inital load you will enter this: mkofboot -v -C /mnt/gentoo/etc/yaboot.conf. Now you should be ready to boot. If you do run into issues booting into your system, go back into the live CD and edit the device section of yaboot.conf and set it to hd:. Then reload with ybin -v -C /mnt/gentoo/etc/yaboot.conf. This should be the only change you need.

Final Thoughts

Living in Gentoo has been a lot of work. As time permits I will be sharing some of the challenges I ran into. Yet I must say I have really come to love living in Gentoo. I have learned so much about how Linux works as an OS just by using Gentoo and getting to work on my PowerPC machines. Yes the compile times are sometime long (I left it running overnight to build xorg and xfce). However what you get in the end is a system that you can truely say you built from the ground up. There is a level of satisfaction with that.

Friday, January 29, 2016

Lubuntu 16.04 Alpha 2 is out with LXQT awesomeness!

I have been wanting to test out LXQT for ages. So far it is not in the Debian repos for PowerPC. Thanks to the developers over at Lubuntu that time is now!

So with the release for 16.04 Alpha 2 you too can have LXQT running on your PowerPC iBook or PowerBook. You can find the instructions here and a special thanks to Walter Lapchynski of the Lubuntu Team for using my screenshot. I will post some more below.

I really like the design of the DE plus Lubuntu has added more options to customize it as well. For example they added the LXQT Configuration Center. From there you can do things like edit your keyboard shortcuts. This is a nice change from editing files in vi. Also using compton just adds that nice compositing effect that make DE look even better.

It is still buggy is some areas. The window to manage the panel does not always pop open, two finger scrolling with the trackpad does not work on the windows or Qupzilla. Video playback works but it still more resource heavy than Debian. However some of these should not be an issue if you running a Powermac.

Please give Lubuntu a test drive and go to the QA ISO Tracker, from there run some of their tests and post your results. This is how we keep PowerPC supported under Linux.

Sunday, November 22, 2015

Video Playback on PowerPC Linux

In my testing of Lubuntu and Ubuntu-MATE on my iBook G4 one things that I notice often is that when playing back video using mpv my overall CPU usage spike to the high 90s. The fan on my machine start spinning really loud and fast. I thought I would do a comparison of with Debian to see how they compare. Here are some of my findings.


iBook G4
1.42 GHz CPU
1.5 GB RAM

These findings are based on lxtask

LXDE and Openbox

Overal CPU average 50%-60%
MPV process 30%-40%

The fans not once came one and there only brief spikes to 80%-90% CPU usage.


Overal CPU average 70%-80%
MPV process 30%-40%

Even with the higher numbers due to XFCE being a heavier desktop than LXDE, video playback did not cause my fans to run. As much as I love Ubuntu based distros Debian is by far the better performer. I believe a lot of it is due how I set up Debian. When I installed the system I manually chose what applications and services were installed on my machine. Ubuntu on the other hand chooses for you what comes with the desktop. The advantage to this is you get a compete working system pretty easily. The cost of this is have a performance hit. On newer machines this may not be a big deal but on older G3 and G4 PPC machines it is a great deal. You get no more than 2GB of RAM on some machines, and a single processor for the iBooks and PowerBooks. I would never say stop using Lubuntu or Ubuntu-MATE, however give Debian a try. Yes it will take some more work than Ubuntu, however the benefits of running it are great.

Thursday, November 12, 2015

Testing Lubuntu 16.04 Xenial Xerus

Now that Wiley has been released, development for Ubuntu 16.04 (Xenial Xerus) has begun. Daily images have already been posted. Both Lubuntu and Ubuntu-MATE have PowerPC images ready for testing. People over at the UbuntuForums have alreasdy begun testing the new images. Also there was hope that the radeon r300 bug was fixed if you looked at the Mesa 11.0.3 release notes. Xenial as of now comes with the Mesa 11.0.4 package. So here are my initial thoughts.


The install was pretty standard. There was nothing that stood out and to be honest this is a good thing. The installer should ask you the questions the app needs to build the system according to what you have requested. I noticed in Wiley that section the manages setting the timezone was broken and you needed to set the timezone after install. This has now been fixed.


The desktop had a realy nice default look to it. I made the panel dark using the Lubuntu-Dark theme. The panel apps I tried worked as well. I noticed in 14.04 that the weather panel app did not work. Now in 16.04 it is working. The system resource monitor worked as well. I like seeing the CPU and RAM usage plus the app launches lxtask when you click on it. A lot of the default apps that normall come with Lubuntu were not installed but this is something I expected since it is so early in development and there maybe changes as to what ships in the final release.


Sadly eventhough Mesa has stated this bug to resolved it is not the case. You cannot get 3D acceleration with radeon r300 driver with a default depth of 24. Graphics rendering has been an issue for PowerPC since moving to KMS. It is not a show stopper in using Linux on PowerPC, but it is annoying.

Browsing the Web

Firefox worked as expected. I install Midori, Qupzilla, Luakit, and Surf as well. Midori works great! It looks like even downloading files is working better. In the past there were times when that feature would crash. It is really good to see improvement there. Also uploading files is working as well. Luakit has gotten a little buggy. There were times when the browser crashed when I used it. It is something I have seen in 15.10 and I know there is an open bug report on it. Qupzilla has issues when trying to scroll down using the touch pad. Other than that it ran pretty well. Running Surf showed no issues that i could see.

My first impression of Lubuntu 16.04 are pretty optimistic. I will be checking in on it when the Alpha and Beta releases come to see how the distro is doing under PowerPC.

Friday, October 16, 2015

Linux from Scratch Journey part 1

I have installed both Gentoo and Arch Linux in VMs and real hardware. Both are the most customizable Linux distros I have worked on. You basically get a bash shell and build from there. However if you really want a customizable version of Linux that you can say you built then you should take the plunge and try Linux from Scratch.

Linux from Scratch (LFS) is a version of Linux that is built completely from source. What you get from LFS is a document that walks you through how to build your system. I just finish the section where you build your temporary tool-chain that you will use the build the system. The instructions were great. So long as you follow them exactly you should be fine. I am right now building an x86_64 based system, however depending on how successful I am I may try to build a PowerPC version on my iBook G4.

I will be adding posts as I work through LFS. Document both the success and issues that may arise.