S.W.I.S.S. is an acronym for Smart Wireless Infrastructure Solution for Schools.
Applicability: Schools, libraries, public institutions
Skill level for building it yourself: Medium
Read disclaimer before taking for granted anything I say below!
Prerequisites:
– wireless router with Atheros chipset (I managed to make it work on TP-Link TL-WR740N v4 and TL-MR3020 v1 routers). Could not make it work on Broadcom based routers running OpenWrt (tried it on Huawei HG553, HG520v and HG655b).
What is supposed to do:
Provide a secured wireless mesh infrastructure, designed especially for schools. Actually, there are 3 different mesh networks built in the solution, each serving a different purpose.
- A “Guest” wireless access point, designed for being accessed by students and guests. This network cannot access Local Area Network, bandwidth is limited to a configurable value, also the access to Internet websites is filtered using a (school owned) OpenDNS account.
- A wireless access point for administrative personnel. This is supposed to NOT have any limitations regarding bandwidth and websites accessed (other than the limitation of the actual mesh network).
- Also, a wireless network to be used as a virtual library. This network has not Internet access and can be used for accessing a library website, installed on an external computer or a router integrated in the solution. Think of this network as an alternative to LibraryBox (a better one, of course :)).
Concept:
Topology:
Similar projects: Village Telco, LibraryBox
Advantages:
- Redundant, self-optimizing, self-healing, secured infrastructure, due to mesh topology based on the open source implementation of 802.11s standard (authsae)
- Full separation between administrative, students (Guest) and virtual library (Biblio) access
- Access to information for Guest users is filtered using OpenDNS, based on an account created and configured by the school (basic OpenDNS accounts are free of charge; these accounts allow you to configure and modify the level of access, define exceptions etc, being able to block access to toxic content for children – pornography, gambling, illegal activities)
- Easy MACD (Moves, Additions, Changes, Deletions)
- Minimum command line interaction. In fact, you don’t have to login to the routers at all to have a fully functional system. Theoretically (strictly 🙂 ) you can have a functional system in less than 10 minutes
- No cabling between mesh nodes is necessary. Deployment means to install (power on) each pre-configured mesh node in a location so it can “see” at least one other mesh node (preferably 2 or more)
- Reduced costs. TP-Link WR740n (cheapest mesh node) costs in Romania about 15 Euro
It’s fair to expose the disadvantages, too:
- Not tested in a real environment
- Wireless infrastructure is shared between backbone and access network, so maximum bandwidth is divided by 2 (same path for both ways).
- All users share the same wireless bandwidth, so network bottlenecks in case of a big number of simultaneous users are possible
- Separating backbone and access network is only possible using more expensive dual band routers (option which should be considered for an upgrade)
How it works
There are 2 kinds of nodes in this mesh network (plus the optional wired library server):
- Gateway
- Regular mesh node
I use TPLink TL-WR740N v4 for gateway, as well as for mesh nodes. I use TPLink TL-MR3020 v1 for the optional library server. These are the most cost-effective routers (Openwrt compatible) I am aware of.
The gateway
- has 2 WAN connections (one for the guest network, the other for administrative network). These WAN connections can be connected to the same provider CPE (you don’t need 2 providers), as one is “NATed” and the other is only bridged. In my setup, LAN hosts receive private IPv4 IPs via DHCP from provider’s CPE. However, you can modify the setup to use static IP for WAN and for wi-fi clients.
- provides DHCP (and partially DNS services) to Guest and Biblio wireless networks
- limits the bandwidth used by the Guest network (traffic shaping)
- provides an secured web interface for changing wi-fi passwords (which propagates to all routers in under 1 minute) and bandwidth allocated to Guest network
Mesh node
- deals with authorizing wireless clients and providing wireless access to gateway
- have a dedicated port for connecting the library server (or connecting to the LAN including the library server)
(Optional, wired) Library server
Technically, you can use any machine as a Library server, as long as it has the IP address 172.20.2.100/24 and there is a web server listening on port 80. Library server should be connected as depicted below.
The Biblio network functions like this:
– any DNS queries sent to Biblio network DNS are responded as 172.20.2.100 (i.e.: who is mylibrary.ro? Mylibrary.ro is at 172.20.2.100), for each and every domain query.
– I recommend you not to reinvent the wheel and use an already mature projects – Calibre ebook management and Calibre2opds for managing your ebook/documents collection. You can configure Calibre to act as a web server (remember to use port 80, not the default 8080 port) or you can use the files processed by calibre2opds with your own separate web server.
I have included as an option a firmware image for a TPLink TL-MR3020 router acting like a web server. After flashing the firmware to the router and connecting an USB memory stick to it (FAT32 formatted), you will have a fully functional library server. The content is up to you, but I included files generated by calibre2opds to make it easier.
Get started
The easy way
The easy way is to flash the provided .bin firmware to the gateway and to (all) your mesh nodes. If you don’t need any customization, that’s the way to go. Make sure your provider CPE (or internal server) has DHCP activated for LAN clients, then connect WAN and LAN port 4 to provider’s CPE using Ethernet patch cords. It should work out of the box!
The hard way
You can start from the stock Openwrt firmware and start building a customized version based on the files provided.
My way
If you lack skills to build it yourself, you can contact me to order one or more pre-configured box(es). Please keep in mind that what you pay for is not a customization service, but a box configured with the last stable version of the firmware. If what you need is a customized behavior of the appliance, please contact me.
Quick start
- download last stable version for gateway and for mesh node
- flash firmware to routers, according to the role in the network (gateway or mesh node).
- connect gateway to the outside world following the diagram below. By default, it is supposed that provider’s router is also a DHCP server. If you have static IP, a few tweaks are necessary
- connect library server (PC or TP-Link TL-MR3020 router) to a mesh node using the diagram below. For the moment, you cannot connect the library server directly to the gateway (only to a mesh node). However, this is one of the problems I want to be solved in the next version.
- customize your installation (passwords, etc.) by connecting to the gateway from your browser: https://192.168.0.201/. The default LAN address of the gateway is 192.168.0.201 (only ports marked 1, 2 and 3 belong to the LAN interface, port 4 is an uplink, as you can see in the picture above). Don’t forget to add the “s” to https!
Default values:
Default username/password for the webpage: admin/adm1n (can be changed from the admin webpage itself).
Other defaults:
- Gateway
- SSH username/password: root/sw1ss
- Https webpage username/password: admin/adm1n
- LAN IP address: 192.168.0.201
- Mesh node
- SSH username/password: root/sw1ss
- LAN IP address: 192.168.0.204
- Library server
- IP address 172.20.2.100/24
- web server on port 80
- Wireless defaults:
- SSID Administrativ:
- encryption: psk2
- password: secretkey
- SSID Guest:
- encryption: psk2
- password: moresecret
- SSID Biblio:
- encryption: psk2
- password: dersecret
- SSID Administrativ:
Extra information for DIY type of people 🙂
- commands to generate the firmware are:
Gateway: make image PROFILE=TLWR740 PACKAGES="curl wshaper authsae haserl mini-httpd-openssl mini-httpd-htpasswd iwcap -kmod-ppp -kmod-pppox -kmod-ppoe -libip6tc -kmod-ipv6 -kmod-ip6tables -odhcp6c -ppp -ip6tables -ppp-mod-pppoe -libip6tc" FILES=files/gw Mesh nodes: make image PROFILE=TLWR740 PACKAGES="curl wshaper authsae haserl mini-httpd-openssl mini-httpd-htpasswd iwcap -kmod-ppp -kmod-pppox -kmod-ppoe -libip6tc -kmod-ipv6 -kmod-ip6tables -odhcp6c -ppp -ip6tables -ppp-mod-pppoe -libip6tc" FILES=files/meshnode
- non-default files to include (you can find them in the download section):
Gateway:
files$ tree gw
gw ├── etc │ ├── authsae_mesh1.conf │ ├── authsae_mesh_b.conf │ ├── authsae_mesh_g.conf │ ├── authsae_mesh_internal.conf │ ├── config │ │ ├── firewall │ │ ├── network │ │ ├── swiss │ │ ├── system │ │ └── wireless │ ├── crontabs │ │ └── root │ ├── globals │ ├── group │ ├── init.d │ │ ├── backbone_status.sh │ │ ├── create-status-page.sh │ │ ├── exec_common_cmd │ │ ├── exec_custom_cmd │ │ ├── meshnodes_not_connected.sh │ │ ├── start_mesh │ │ ├── start_mesh_2 │ │ ├── start_mesh_3 │ │ ├── start_mesh_4 │ │ ├── update_bw │ │ └── update_opendns.sh │ ├── meshnodes │ ├── mini_httpd.conf │ ├── mini_httpd.pem │ ├── passwd │ ├── preinit │ ├── profile │ ├── rc.local │ ├── resolv.conf │ ├── shadow │ ├── TZ │ └── uci-defaults │ ├── disable-services │ └── disable-services~ └── www ├── bw ├── cgi-bin │ ├── bw.cgi │ ├── get.cgi │ ├── mesh_pwd.cgi │ ├── opendns_confirm.cgi │ ├── pw_confirm_acc.cgi │ ├── pw_confirm.cgi │ ├── stat.cgi │ └── syslog.cgi ├── common.cmd ├── css │ ├── lightbox.css │ ├── slider.css │ └── style.css ├── index.html ├── logo.jpg ├── mesh.txt -> ../tmp/mesh.txt ├── settings └── wifi.txt -> ../tmp/wifi.txt
8 directories, 56 files
Mesh nodes:
files$ tree meshnode meshnode ├── etc │ ├── authsae_mesh1.conf │ ├── authsae_mesh_b.conf │ ├── authsae_mesh_g.conf │ ├── authsae_mesh_internal.conf │ ├── config │ │ ├── network │ │ ├── swiss │ │ ├── system │ │ └── wireless │ ├── crontabs │ │ └── root │ ├── globals │ ├── group │ ├── init.d │ │ ├── create-status-page.sh │ │ ├── exec_common_cmd │ │ ├── exec_custom_cmd │ │ ├── start_mesh │ │ ├── start_mesh_2 │ │ ├── start_mesh_3 │ │ ├── start_mesh_4 │ │ ├── update_pwd │ ├── mini_httpd.conf │ ├── mini_httpd.pem │ ├── passwd │ ├── preinit │ ├── profile │ ├── rc.local │ ├── resolv.conf │ ├── shadow │ ├── TZ │ └── uci-defaults │ ├── disable-services └── www ├── mesh.txt -> ../tmp/mesh.txt └── wifi.txt -> ../tmp/wifi.txt
6 directories, 40 files
Downloads
You can find the last stable version below. Older versions can be found here.
Gateway (version January 18, 2015):
Factory to Openwrt:
MD5: 441A4A713D5E630CABF4EA2337E77EF6
SHA-1: 2CA43410F3324D4ABAF69D5131F025A8A7916A9E
Sysupgrade:
MD5: 736E73F9E02063C0F706A07FBF0B1783
SHA-1: A1DAD84F774BCBDEBF2E4F3B4C393D9517F761E6
Mesh node (version January 18, 2015):
Factory to Openwrt:
MD5: 38ABA5E13809FD9D753D539EEB2A30C4
SHA-1: D2E72CECB1D1AB885E9C0AD536971A3941145CA8
Sysupgrade:
MD5: 6E54FBC2753B973192BF2B6E7B2DF7AC
SHA-1: 7665976F88EBF7C935241D522384252F8D24C1C9
Files:
Gateway & Mesh nodes:
https://www.dropbox.com/s/5iuqejn4xku8s0h/files-18012015.tar.gz?dl=0
MD5: E062B53ED0CE438D56D7AE5D8877E68F
SHA-1: 4B7C14F36F80663FAD44233EC2AB90FD9A63D1EA
Library server:
Factory to Openwrt:
MD5 Checksum: 08209449E586E46E8059D42DDF1276FF
SHA-1 Checksum: 0A8124520DF1884CEC5909B4496C65662128A9CB
Sysupgrade:
MD5 Checksum: 0812F1E164298369ECC1E6D18331BBBB
SHA-1 Checksum: 7B5F191C259E4AABA139B5D727DD5ECE1903F040
yunofun 