I have a few questions I’m hoping you can help me with:
1] How do I make the single ethernet port in ubiquiti devices such as the rocket or the
bullet a wan interface and not a lan? I’ve added a wan interface and it works but traffic
from lan doesn’t pass through to it, I can only ping an internet destination from luci
diagnostics, not from actual lan clients.
2] How can I cook my profile for a device that isn’t listed? Can I submit one for
addition? Or do I have to compile it manually outside of chef?
3] Is bmx7 already available in chef? If so how do I select it? And most importantly, will
it break compatibility with bmx6 nodes if introduced later on? In a more general question,
within the same network in chef, what can break compatibility between profiles?
I had written Pau a very long mail with these questions but I’m sure it was a little
overwhelming [sorry about that ;]. I’m also having spam issues due to a recent server
migration. I hope someone can help me with this.
Thank you so much in advance! I really appreciate your help.
From: Nicolas North <nk(a)os.vu>
Date: 27 January 2017 at 23:58:59
To: libremesh users <lime-users(a)lists.libremesh.org>
Subject: Re: [lime-users] Security questions and customizations
Thank you very much for your very nice and kind introduction to this “new world” for us.
It’s kind of a shocker for us since - as I’ve mentioned - we discovered you exactly when
putting the finishing touches on our very long research into olsr based mesh networks, and
sparked some heated debate between us as whether to stay with our stable and known setup
or to leave it aside and follow on with your project - since it looks extremely exciting.
I’m also amazed at the level of work that Axel [and you / others?] have put into bmx7
[I’ve watched the entire presentation from last year just tonight]. It’s very encouraging
for me [being a complete security freak] to see others tackling the issue straight-on and
with such open-mindedness. I’ve joined the bmx7 ml and will wait to read what they write
The lack of the web interface in LiMe is kind of scary for us, especially when building
networks from scratch where even the slightest indication can make a difference in the
real world when installing routers and stuff. I’m already missing the coloured strength
indicators from olsr, but I’ll get used to it over time.
Thank you for the tips: I’ll try adding wpa2/aes to the AP wireless network. I’m trying
option ap_encryption 'psk2/aes'
option ap_key 'your-secret-password’
I now have reworked our naming conventions and allowed for a mixed-band SSIDs. Back to
actual technical problems ;]
I’ll hold off on 802.11s for now as I’m eagerly waiting for bmx7. Is it already available
in chef? If so how do I select it? And most importantly, will it break compatibility with
bmx6 nodes if introduced later on? In a more general question, within the same network in
chef, what can break compatibility between profiles?
A "big chunk" of our research was getting our firmware on every device possible,
and we’ve been having a lot of fun with GL Inet mini-routers, that have performed
optimally in our tests, supporting both the AP and MESH wireless networks with high speeds
and low latency. Also we’ve been experimenting with portable wifi routers / power banks,
that are based on older GL Inet router boards, with the idea of using them as a
replacement for traditional 3G hotspot, therefore creating a dynamic mesh topology that
follows you and others around. How could I, for instance, cook my profile for a device
that isn’t listed? Can I submit one for addition? Or do I have to compile it manually
outside of chef?
Our network aims to be a city-wide network. It’s a nearly-impossible ambition, but there’s
nothing stopping us from trying. Our dream is to have it everywhere, and therefore its
security is obviously a core issue. I think that bmx7 combined with some kind of online
web-of-trust could be good solution one day, for now we’ll have to wait and see how things
I hope I’m not violating any ml rules here by saying that our network is a project of our
hacker space we’re bringing to life here in Milano, Italia. I won’t say any names in case
this does go against the rules [advertising / propaganda / etc… ;]. I’m only
mentioning this because, as I wrote on the Ninux ml a few weeks back, I’d love for anyone
as passionate as we are about mesh networks to come and check out our humble but ambitious
work, and to share with us their experiences, and - who knows - maybe even help us
experiment out in the field the next generations of LiMe as you’ve so nicely suggested to
In any event I really hope to be able to attend one of the next conferences and meet you
in person. I also hope we can somehow contribute to your fantastic project in the
future beyond simple testing, once we acquire more skilled people that could actually make
the difference for you.
Thank you so much once again. Please let me know what you think! I hope this makes some
sort of sense :]
From: Pau <pau(a)dabax.net>
Reply: libremesh users <lime-users(a)lists.libremesh.org>
Date: 23 January 2017 at 19:02:02
To: lime-users(a)lists.libremesh.org <lime-users(a)lists.libremesh.org>
Subject: Re: [lime-users] Security questions and customizations
Hi Nicolas. Welcome to the libre-mesh community :)
Find my comments in-line.
On 23/01/17 03:59, Nicolas North wrote:
I discovered your truly fantastic project through Ninux. I’m creating a mesh network here
in Milano, Italia, with my project openspace. We are trying to build something truly
scalable that could one day work all over the city. We started out with the excellent
Commotion, and have moved onto a MetaMesh-like setup with pure openwrt and manual
configurations for a lack of pre-compiled images of Commotion.
I’ve now discovered your project which seems to be a dream come true, which is
Commotion-like ease of creation and deployment, but with much wider compatibility. If I
manage to embrace and understand this new world outside of olsr and if we can get a few
details figured out I really think this could be the definitive way to go, at least for
the time being.
Commotion VS Libremesh have been always a nice topic since 2013 when we
did a talk together on the WCW of Berlin. There have been also some
cooperation between teams but obviously we choose different ways. I
would say that our approach is more experimental and innovative while
their is more conservative. What we do by mixing routing protocols on
different layers is kind of crazy for the traditional thinking. But now
that it is implemented and working I would say it is was the correct
choice. To know more http://libre-mesh.org/howitworks.html
However the main missing point IMO for Libremesh is the web interface.
It is still on the to-do list. There is a first very-simple
implementation but we are planning to write it from scratch using LUCI2
as basis instead.
So the current idea under libre-mesh is that you prepare a
/etc/config/lime and/or /etc/config/lime-defaults configuration file for
your mesh network (it has a lot of options and it is very flexible). And
thanks to the implemented heuristics it should automatically work on all
your nodes. So one config for all nodes.
You can check out the details of our current
MetaMesh-like configuration here should you be curious:
[temporary address]. It basically adds on top of
MetaMesh to try and reach Commotion’s configuration flexibility, like WPA2 on AP and MESH
levels, olsrd-secure, and other nifty little details. The writing of this howto is a work
in progress, but we should be finished in about a week.
All of this is the result of over a year of work on our part, thank to all of the amazing
projects like yours out there. While approaching your project as a total newbie that has
only worked with Commotion and MetaMesh, is there anything in the large scale that works
so fundamentally differently in libremesh from how our previous setup works, that we
should be considering before starting out?
Thanks to you for working on this also :)
If we start using LiMe to our network, we’d like to
introduce WPA2 encryption on the AP and MESH wireless networks. And is it possible to
separate the 2.4ghz and 5ghz MESH wireless networks SSIDs? Also, do you authenticate nodes
on the network, like olsrd-secure does? If so, how? Is it possible to change the ssh port
of the various nodes [security-by-obscurity self-alert]?
WPA2 AP encryption is already implemented and working. Check  for
more details. About Mesh Encryption, there is currently a thread about
this issue. If you rally need this (IMHO a preshared key on a open mesh
network makes not sense), you can use 802.11s for link layer instead of
Ad-Hoc (which is already supported and tested on LiMe). 802.11s has its
on link layer encryption mechanism, but I never tested it. Check this as
an example . If everything works as expected you might use these to
options on /etc/config/lime (wifi section):
option mesh_encryption 'psk2/aes'
option mesh_key 'your-secret-password'
Let us know if you try it please.
About authenticate nodes, LiMe will do it automatically if you choose to
use bmx7 instead of bmx6. Bmx7 has very advanced security extensions,
much more powerful than OLSR+plugin. However it is still in beta state.
You can learn more about bmx7 here . But don't worry, everything
is done automatically :)
To better explain, we’re always trying to figure out
how to make the infrastructure solid and resilient, and how to protect traffic and
authenticate devices with more advanced crypto than simple symmetric keys [like the very
WPA2 on mesh level and olsrd-secure passphrase that I’m inquiring about] that will leak in
a matter of days after we start using them, so we’re the first to recognise the weakness
of these protections, but they could be considered better than nothing perhaps? Do you
have any other ideas?
At the risk of going off-topic, may I ask what your approach to security matters like
this is? In terms of traffic security, device authentication, and network-wide resistance
to “attacks”? What are the weak spots of the protocols you’re using here, in the event of
someone actually trying to take down a part of the network? I ask because I know that with
olsr for instance it’s enough to set an already-in-use static IP to a device to break the
meshing in a serious way, like in traditional networks. How are things here instead? A
friend of mine was thinking of using a blockchain to authenticate the various routers
entering the network, towards the dream of a network that can’t be stopped by anyone or
anything, exactly like bitcoin.
Anyway, back to us. How can I specify these extra details in the config file? I’m
obviously happy to dig through documentation, but I have found nothing specific enough for
my understanding. I’ve been able to change some parameters in chef under
/etc/config/lime-defaults, but not all. I might be completely misunderstanding some
fundamental details here, please excuse my ignorance.
All this is automatically handled by bmx7. Axel is doing a really good
job on this scope. Do not hesitate on joining the bmx mailing list and
asking anything you want to know.
Using blockchain on a 300MHz MIPS device might be very challenging. I
already considered this option on the past but I don't see it as a good
solution for the moment.
Thank you so much in advance and super-kudos for your
amazing work in any event!
Thanks to you.
lime-users mailing list
lime-users mailing list