Device specifications:
======================
* Qualcomm/Atheros AR9344 rev 2
* 560/450/225 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi
* 2T2R 5 GHz Wi-Fi
* 4x GPIO-LEDs (2x wifi, 1x wps, 1x power)
* 1x GPIO-button (reset)
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 1x ethernet
- AR8035 ethernet PHY (RGMII)
- 10/100/1000 Mbps Ethernet
- 802.3af POE
- used as LAN interface
* 12-24V 1A DC
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Gluon image name change
=======================
The device had the image name "openmesh-mr600" in older versions of Gluon.
This had to be changed with the new name in the device trees of the ath79
device tree.
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 2T2R 2.4 GHz Wi-Fi (11n)
* 2T2R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
- eth0
+ Label: Ethernet 1
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as WAN interface
- eth1
+ Label: Ethernet 2
+ AR8035 ethernet PHY (SGMII)
+ 10/100/1000 Mbps Ethernet
+ used as LAN interface
* 1x USB
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
Device specifications:
======================
* Qualcomm/Atheros QCA9558 ver 1 rev 0
* 720/600/240 MHz (CPU/DDR/AHB)
* 128 MB of RAM
* 16 MB of SPI NOR flash
- 2x 7 MB available; but one of the 7 MB regions is the recovery image
* 3T3R 2.4 GHz Wi-Fi (11n)
* 3T3R 5 GHz Wi-Fi (11ac)
* multi-color LED (controlled via red/green/blue GPIOs)
* 1x GPIO-button (reset)
* external h/w watchdog (enabled by default))
* TTL pins are on board (arrow points to VCC, then follows: GND, TX, RX)
* 2x ethernet
- eth0
+ Label: Ethernet 1
+ AR8035 ethernet PHY (RGMII)
+ 10/100/1000 Mbps Ethernet
+ 802.3af POE
+ used as WAN interface
- eth1
+ Label: Ethernet 2
+ AR8031 ethernet PHY (SGMII)
+ 10/100/1000 Mbps Ethernet
+ used as LAN interface
* 1x USB
* internal antennas
Flashing instructions:
======================
Various methods can be used to install the actual image on the flash.
Two easy ones are:
ap51-flash
----------
The tool ap51-flash (https://github.com/ap51-flash/ap51-flash) should be
used to transfer the image to the u-boot when the device boots up.
initramfs from TFTP
-------------------
The serial console must be used to access the u-boot shell during bootup.
It can then be used to first boot up the initramfs image from a TFTP server
(here with the IP 192.168.1.21):
setenv serverip 192.168.1.21
setenv ipaddr 192.168.1.1
tftpboot 0c00000 <filename-of-initramfs-kernel>.bin && bootm $fileaddr
The actual sysupgrade image can then be transferred (on the LAN port) to the
device via
scp <filename-of-squashfs-sysupgrade>.bin root@192.168.1.1:/tmp/
On the device, the sysupgrade must then be started using
sysupgrade -n /tmp/<filename-of-squashfs-sysupgrade>.bin
ac99fde54 haproxy: update to version 2.2.22
ee4267e97 tree: bump to 2.0.2
f01cf663b curl: Fix compiling curl wolfSSL IPv6 disabled
185c5e365 bind: bump to 9.18.1
919dd8013 libnetfilter-log: update to 1.0.2
8e9f10223 libxml2: update to 2.9.13
793e7ee48 auc: don't segfault on invalid URL
31e2e7ccb auc: fall back to 'sdcard' image
8999b60db auc: accept both 'y' and 'Y' as confirmation from user
1adcda368 auc: add '-n' parameter for dry-run
facfdaca2 attendedsysupgrade-common: update to 2021
aa41482d3 yq: Update to 4.22.1
8518b2d5d yq: Update to 4.21.1
f550d9066 syslog-ng: update to version 3.36.1
b2ec8c84f tvheadend: bind to LAN IP by default
e061d8eff dockerd: fix compilation with glibc
fd30ce33f docker: fix compilation with glibc
a11359b88 yggdrasil: bump to 0.4.3
1d7d46db0 i2pd: Update package
c384dbb19 i2pd: add service reload support
938187fa2 coova-chilli: remove kmod dep on binary package
109f2770a cache-domains: Fixed hotplug script not running
5562cef26 nextdns: Update to version 1.37.10
5f20a9171 golang: Update to 1.17.8
1a0cb5ce4 curl: update to 7.82.0
701ca2532 python-twisted: Update to 22.2.0
4c0748396 python-twisted: Update to 22.1.0, refresh patches
3e75dc582 mdnsresponder: Fix nullpointer dereference while parsing interface list
9722b1ec0 crowdsec-firewall-bouncer: remove crowdsec package dependency
5b51bb3a5 kcptun: bump to v20210922
81ed00124 samplicator: fix Wformat warning
da82b8c9c ocserv: updated to 1.1.6
a8b73c250 openconnect: updated to 8.20
e208f42c5 yq: Update to 4.20.2
e2bf8e1d8 MarkupSafe: update to version 2.1.0
41fe385fd domoticz: update to 2021.1
e9dee2684 minizip: update to 3.0.2
697115688 minizip: update to 3.0.1
adc6fcc88 minizip: update to 3.0.0
584c0c437 expat: import patches for CVEs
5f3226dc1 nfdump: update to 1.6.23
e7715b18b htpdate: drop www.freebsd.org from default server list
4d0e0f414 nano: update to 6.2
45009c340 unbound: update to version 1.15.0
9ba9579a1 yq: Update to 4.20.1
a5de4042c pcapplusplus: Add new package
10a805492 vnstat2: update to version 2.9
42f35cdda vnstat2: add hotplug script for adding interfaces
f8820d2ae vnstat2: fix all interfaces being monitored when none are configured
86f85cde4 vnstat2: update to version 2.8
f4a390c59 php7: update to 7.4.28
5eb97e05e php8: update to 8.0.16
b409127e6 slide-switch: Update to 0.9.7
4919a791a golang: Update to 1.17.7, refresh patch
43276c649 tvheadend: fix first-run
362c8c4df ksmbd-tools: update to 3.4.4
41ca56ff2 ksmbd-tools: Fix ksmbd service is semi-killed at system startup
c4bb2fadc ksmbd: update to 3.4.4
06ffe5c4d ksmbd: update to 3.4.2
c7e0be3a3 ksmbd: update to 3.4.1
d5f588268 dockerd: Update to 20.10.12
66dda3aa2 docker: Update to 20.10.12
845d2203b yq: Update to 4.19.1
4e8267602 dtc: drop package
845b9a1df knot: update to 3.1.6
d286939b7 knot: update to 3.1.5
38eaee347 nano: update to 6.1
0329b2c11 xray-core: Update to 1.5.3
d18542ecf ruby: update to 3.0.3
a507620a1 https-dns-proxy: init script refactoring
5dcf0b57c slide-switch: Update to 0.9.6
4bd6bc41c ffmpeg: update to version 4.3.3
ac4ecdf85 tinyionice: add package
1a40a0a0b yq: Update to 4.18.1
32e85322c yq: Update to 4.17.2
675755537 apache2: security update to version 2.4.52
74f9ae028 bind: bump to 9.18.0
b29655996 crowdsec: update from latest upstream release 1.3.0
3b28c6f38 wg-installer: use babeld add_interface function
1026a1fd4 crowdsec-firewall-bouncer: fix name in initd to start the process
9137583d3 nano: Add a plus variant with more features
2cd892879 https-dns-proxy: update to 2021-11-22-1
8d8cf2628 dawn: update to 2022-01-17
f921cc4b7 python-dns: update to version 2.1.0
df7568303 prosody: update to version 0.11.13
14b623f73 telegraf: Update package to version 1.21.3
82c35fa92 telegraf: Move config file to /etc/telegraf.conf because /etc/config is the default uci folder. Also marking it as configuration file prevents overwriting it on updates.
989aecf2b telegraf: Add package for telegraf
299684dd5 ffmpeg: update to 4.3.2
213aaa1f3 clamav: update to version 0.104.2
9c476ee99 clamav: update to 0.104.0
294196303 node: January 10th 2022 Security Releases
fc835bcaa tvheadend: fix conffiles section
48bf1a0d0 lighttpd: update to lighttpd 1.4.64 release hash
82339309f lighttpd: update to lighttpd 1.4.63 release hash
527f2b920 lighttpd: update to lighttpd 1.4.62 release hash
4f990b7cd tvheadend: fix typo in uriparser
aeb8aad5c wg-installer: fix multiple namespaces
e29f38650 php8: update to 8.0.15
d7c78f83b tvheadend: disable uriparser
c7f25b25d python3: Update to 3.9.10, refresh patches
b9bfe1ef1 wg-installer: remove unused dependency
9a836f430 wg-installer: create wireguard key if it does not exist
317ba6a43 wg-installer: install cronjob
a430932a7 wg-installer: check if a key is already inserted
0aaa90629 wg-installer: rework code
dea64c08e wg-installer: cosmetic changes
A section can be marked as preseved by setting the gluon_preserve option
to 1. In addition the following conditions must hold:
- The preserved section must not already exist after OpenWrt's and
Gluons setup scripts run. Modifying existing sections is currently
unsupported.
- Preserved sections must be named, so it can be detected whether a
section conflicts with a preexisting one.
Allow interface names to change on updates to handle hwconfig -> DSA and
similar migrations.
On devices with only a single interface, a sysconfig single_ifname is
created instead of wan_ifname or lan_ifname to allow separate
configuration in site.conf.
With the new role-based interface configuration, it would be better to
rename the wan/wan6 interfaces to uplink/uplink6, but that would cause
unnecessary churn for the firewall configuration, so it is left for a
later update.
As all interfaces with the 'uplink' role are in the br-wan bridge, it is
not possible to assign these to the 'mesh' role independently - instead,
br-wan is added as a mesh interface as soon as a single interface has
both the 'uplink' and 'mesh' roles. The UCI section for this
configuration is now called 'mesh_uplink' instead of 'mesh_wan'.
For all interfaces that have the 'mesh', but not the 'uplink' role a
second configuration 'mesh_other' is created. If there is more than one
such interface, all these interfaces are bridged as well (creating a
bridge 'br-mesh_other'). This replaces the 'mesh_lan' section with its
optional 'br-mesh_lan' bridge, but can also include interfaces that were
not considered "LAN" when interfaces roles are modified (via site.conf
or manually).
The new configuration generates sections iface_single/lan/wan in
/etc/config/gluon. These sections usually refer to a sysconfig-controlled
interface list, but adding custom sections with verbatim interfaces names
is also possible.
Each interface section contains a list of roles. The supported roles are
'client', 'uplink' and 'mesh'. Multiple roles can be configured on the
same interface (for example the old 'mesh_on_wan' setting would become
'uplink'+'mesh').
'client' is subsumed by any other role configured on the same interface
('client'+'mesh' is equivalent to 'mesh'). This property is important, as
it allows the Wired Mesh settings in gluon-web-network to simply add and
remove the mesh role without having to care what other roles are set -
so in the default setup, this would switch between 'client' and
'client'+'mesh' for the LAN interface.
By default, the WAN interface has role 'uplink' and the LAN interface
'client'; if only a single interface exists, the roles from the WAN
interface are used by default. The default for each of the three
interfaces (WAN/LAN/single) can be changed separated in site.conf,
superseding the old mesh_on_wan, mesh_on_lan and single_as_lan settings.
The stdout output of gluon-web scripts is directly sent to uhttpd,
becoming a part of the HTML output or even replacing HTTP status or
headers. The output of gluon-reconfigure is not supposed to end up
there.
While we're at it, also add an exec to avoid an unnecessary shell
process.
The OpenLayers JS/CSS download URL is dead. Update it to make the map
work again:
- Update from OpenLayers 5.2.0 to 5.3.0
- Switch from the obsolete rawgit.com URL to jsdelivr.net (rawgit.com
was only redirecting to jsdelivr.net for the last few years anyways)
- Set a fixed commit in the URL, so the URL doesn't become outdated again
- Restructure page
- Add information on how to add L2TPv3 offloading support to a build
using configurable ciphers. The null method is not reocmmended anymore.
- Add notes and pointers regarding the gateway configuration to provide
gateway admins with hints on how to modify their configuration to
accommodate this new feature.
- Mention wireguard support
Based-on-patch-by: Felix Kaechele <felix@kaechele.ca>
THe "null" and "null@l2tp" methods are considered equivalent and always
added and removed together when the method list is "configurable".
"null@l2tp" is added before "null", so it is preferred when the peer
supports both.
As gluon-web uses standard multipart/form-data requests, browsers don't
enforce any cross-origin restrictions. To prevent malicious injection of
POST requests into the config mode, match the Origin header against the
Host header of the request.
Actually raise an error and turn it into an HTTP 400 return code when
something goes wrong, rather than ignoring the error.
We also improve the conditions under which errors are thrown before
pump() is called: We don't need to check for the multipart/form-data
content-type twice, and a POST without this content-type is now always
an error.
By applying a label `backport <branch>` the action will automatically
try to cherry-pick the change to the target branch after the pull
request was successfully merged.
Swap the interfaces so than the PoE input port LAN0 is used for WAN and
config mode, and LAN1 becomes LAN.
To this end, the code previously used for ar71xx and removed in
commit 9fdc57c175 ("treewide: drop ar71xx platform specific code") is
reintroduced.
Fixes#2384
There wasn't really a reason to have a separate script to set a single
value.
In addition, the old script was using the identifier 'c' instead of
'uci' for the UCI cursor. Following the convention of the other scripts
is helpful so it is easy to grep for all uses of a certain config file/
option.