Finished setting up my the first radio for my home built wireless x86 router

[G+_Benjamin Webb]

Finished setting up my the first radio for my home built wireless x86 router. It is a pc engines apu2c4. It has only 3 intel lan ports but also 2 mpcie jacks for wireless cards and one for msata as well as 4 gb and AMD 1 ghz processor.

 

Plan is to add 3 more antennas so I can run two AIRETOS AEX-QCA9880-NX cards off of amazon. This is so I can run dual band. Plan is to add a cheap USB adapter for my EPSON wireless printer (curse them for running G). Figure 5 ghz AC stuff only, 2.4 ghz N stuff, and dongle running 2.4 ghz for g stuff.

 

Currently running OpenWRT on it. Things to note is that it has no video output so need to boot off of usb then flash to mSATA. If you mess up the flash it boots from mSATA first so will need to hot plug msata after booting off usb or get your serial console on. Currently running at 9 watts as well. Not cheap though about $50+ a radio then need cables and antennas. The apu2c4 is about $200 by the time you include case and power supply then need to pick up something to boot from (usb, mstata, sdcard). Plan to goof with realtime virus scanning through proxy for IOT devices as well as VPN.

 

Let me know what you guys think and feel free to ask questions.

[G+_Mike Lee]

Nice job! A write-up on how to build would be awesome.

[G+_Benjamin Webb]

Not much to write up

 

I put on a custom version or LEDE (has support for ath9 and ath10 wireless cards baked in) which is a fork of openWRT from below

 

https://github.com/riptidewave93/LEDE-APU2/releases

 

I then DD that to a USB

 

boot up from USB log in via eth1 to web interface 192.168.1.1

 

Bridge eth1 to eth2 via gui on lan interface

 

configure wireless via gui (don't forget to set country or will be limited in 5 ghz channels)

 

bridge wireless to lan interface

 

Add the firewall rules to pass dns to lan. Here is an example done for guest instead of lan so easy enough to follow.

 

wiki.openwrt.org - Configure a guest WLAN using the Luci web-interface [OpenWrt Wiki]

 

I installed mSATA drive (don't trust USB/SDcards) then used SSH installed fdisk to identify the drives then DD to mSATA in my case was /dev/sda. (if you mess up the flash you will need to hotplug mSATA as mentioned before unless you have something to unformat a mSATA). Boot order is mSATA then USB.

 

In terms of hardware need to drill extra holes if using 3 stream with QCA9880 wifi like me as only two holes. Decided to put 2.4 ghz on another 3 antennas so another 3 holes.

 

Example hardware for pigtails and antenna for this I got from below when they ran the similar stuff with ubuntu and standard ITX motherboard

 

https://renaudcerrato.github.io/2016/05/21/build-your-homemade-router-part1/

 

If anybody tries this and runs into problems just bump thread for help.

 

Only needed commandline to copy image to mSATA everyhting else in web interface (still need to set up HTTPS but local on my lan should be fine)

 

I expanded the image on the mSATA as well which is not so easy but can help people out.

[G+_David Wiggins]

Very nice. I tried a couple times to do a similar build for a pfSense build, bit the PC engines site had the mainboard of of stock every time I tried, hehe.

 

I think people have also tried the (blast, I can't remember the name, it wasn't MikroTik, or sophos) router OS on it to much success. As mentioned above, pfS also runs well on those. Each OS has different levels of controls, interfaces and features. I'd recommend playing and with assume others in the future.

[G+_Benjamin Webb]

Pfsense is great for straight up routing and is very mature and stable. Problem is pfsense is BSD based so lacks recent wifi drivers. I use freeBSD on my Freenas box and although rock solid driver support takes a while.

 

I honestly don't think the PC Engines APU2 makes much sense unless you are using the wireless.

 

I went with LEDE for great wifi support and a nice web interface. As far as I can tell you can do anything pfsense can do with LEDE but without proper benchmarks I would suspect pfsense is faster as more mature.

[G+_David Wiggins]

Excellent point on the wifi. BSD tends to move rather slow on drivers and ports. I tend to use dedicated access points. The only card I have running on a pfS is an old D-link PCI . 11-G card. At home in using an Edimax AP, and Cisco Aeronets at work.

 

I haven't worked with LEDE, so I'll have to look into it. I like learning new networking tools.

[G+_Damien Hull]

Nice! We are currently playing around with pfSense firewalls. I like the fact that your system includes Wi-Fi. I haven't checked to see if pfSense supports Wi-Fi. Something to look into in the future.

 

We are documenting our progress on our podcast.

section9.us - Episode 5 – Dorothy’s Firewall Story

 

I will be looking at the hardware you listed. Always up for another IT project.

[G+_David Wiggins]

pfS technically supports wifi, but BSD drivers for N and AC cards are. . unreliable at best. My home setup has the G card as a street pass relay /guest network on an isolated subnet.

Several things about pfS I like are the ability to have a single interface any act like a trunk port, and traffic analysis tools like ntopng, and little things like OpenVPN, dynamic DNS updater client, and email reports. As I said before, though, I prefer to use external WiFi access points.

[G+_Benjamin Webb]

LEDE is a fork of openWRT which is primarily designed for ARM based devices. They have special x86 builds as well. I went with LEDE because the community is active and willing to help and it was linux based with the drivers I needed as I was going bleeding edge Ath10K drivers and firmware for AC wirelss. The three stream QCA9880 I picked does not even have a windows driver at this time.

 

I am no firewall expert and just went with their default stateful firewall and added the two rules I needed for DNS (stateful firewalls in my opinion are easier to comprehend and set up but are slower) They route data based on the type/port/source or destination. Where as stateless is primarily IP based. I am of the mind that stateful is the future as ipv6 becomes more commonplace but arguments can be made either way. The image I used runs with ipv6 as well.

 

I also set up upnp for automatic port forwarding as I am lazy and this is a home network.

 

I have spent quite a few days knee deep in wireshark troubleshooting coms on SCADA networks so I am no stranger to networking but this is not what I do everyday.

 

As for IT certs like that stuff in that podcast I find that most of them are a waste of time. Certs of note would be Cisco Certified. Something like that really stands out on a resume. Too many recent certs usually stands out as indicator of little time with practical field experience. Also pay attention as to what you have to do to maintain your certs and make sure you can keep up with it or you wasted your money.

 

I am a Chemical Engineer with a minor in IT. I generally just use the IT part to make sure nothing in the SCADA system is configured insecurely and when something on the network is broke and it is holding up the job. It is few and far between how many companies will pay for a descent network engineer and I wish anyone going for that field the best of luck but feel most you will end up as contractors until companies stop looking at IT less as a burden and more as a tool that helps the rest of your business work better.?

[G+_Damien Hull]

David Wiggins I like external WiFi access points my self. Still, would be nice to have a small box with WiFi built in.

[G+_Damien Hull]

I use certs as a way to lean new information. There's a lot out there that people don't know. That's my mane reason for taking the certs.

 

Having said that, I also think people should get hands on experience. Certs by them selves don't mean much. That's why we have a lab to play on. Gives us hands on experience.

 

Cisco, CompTIA and SANS are good to have. Again, build a lab if you can. It will help you pass the certs and get hands on experience.

 

Firewall projects like this one are a great learning experience.

[G+_Benjamin Webb]

Damien Hull I agree and this is probably the closest I can get but it is no pfsense rig as I stated before. You almost always have to make compromises when dealing with separate components vs an all in one. I do challenge anyone to find something that routers faster than this and has AC wifi with 9 watts of draw though. I will add another radio and usb wifi and then recheck the power usage.

[G+_Benjamin Webb]

Damien Hull I alway taken the hands on first get certed if I need it later kind of approach. Can afford an awful lot of hardware to play with if not paying for classes and there is a full internet full of information and forums with experts.

 

Granted, I am from a the land of SCADA where there are no certifications except for the hardware and software itself.

 

It is kind of scary that anyone is allowed to wire up a SCADA network for a powerplant or an oil field and i have seen varying results.

 

Still kind of amazes me how much RS232 there is out there running the world as it is cheaper to run than fiber and 3000 ft without a repeater.

[G+_Damien Hull]

Benjamin Webb LOL!!... Maybe I should have gone into SCADA. Where anything goes as long as it works. ;)

[G+_Benjamin Webb]

Damien Hull I have been an engineer involved in SCADA going on 8 years.

 

I started off by getting into Fuel Cells and by my second job I was doing prototype testing. I got to install and operate the largest solid oxide fuelcell powerplant in the world. I got to test out running a molten carbonate fuelcell off of waste treatment gas and producing 8 lbs/hr to fuel fuelcell cars. The hours were pretty crazy sometimes would work 70 hours a week conditioning.

 

For my next job, I transitioned into semiconductors making experimental gas used in making solar panels. Stuff was something out of a Stephen King novel would burst into a green flame and shoot hydrogenfluoride fumes out into the room. For a quick chemistry lesson HF is a weak acid that will go through your skin then light the calcium in your bones off like a match and follow it back to your heart.

 

I now work in engineering support for SCADA software used in oil/gas. My nice cushy desk job at the ripe age of 32 lol. I have never stopped learning and i have always chased my kind of crazy. I may have had 5 OSHA recordables throughout all this chaos (I'll let you guess how they are distributed) but I built up a resume and a temperament that proves I can handle just about anything.

 

SCADA can sometimes take a special kind of crazy but I would not have it any other way.

[G+_Damien Hull]

Benjamin Webb That is one awesome resume. I'm plotting my next career move. Nothing as awesome as things bursting into green flames and shooting hydrogen fluoride fumes into the room.

 

For my next move I'm hoping to land a job in information security. Stoping the hackers before they get in. Or maybe something in incident handling. Tracking down the bad guys after they get in.

 

I'm trying to make it sound half as exciting as yours is. We will see what happens.

 

Thinking about a second Masters degree to get there.

[G+_Benjamin Webb]

Damien Hull I wish you luck. We all know we need more people securing IT infrastructure everywhere the hard sell is convincing corporations to spend the money.

 

I am a big believer that your biggest security hole will always be the people on your network and there is no fix for that.