The DBOX2 Router ---------------- powered by the Tuxbox Project (http://tuxbox.berlios.de) The router is distributed under the GNU public license imond is part of the fli4l project (http://www.fli4l.de) which is also distributed unter the GNU PL Warning ------- You are not allowed to distribute any modified versions of this image, that include illegal or unlicensed software or is prepared to run illegal or unlicensed software. You are also not allowed to discuss any methods on how to modify this image in order to run illegal or unlicensed software. That especially includes any software to access Pay TV channels in any way other than intended by the Pay TV broadcaster or uses conditional access systems other than Betacrypt, which is the only system licensed on the dbox2. By installing this image on your dbox2 you agree to comply with these rules as stated above. Failure to comply with these rules will result in the immediate discontinuation of further development on this image. Und für alle Plinsen nochmal, die meinen kein Englisch zu können: Emu is’ nich’, sonst Router wech. Features -------- Internet access for multiple hosts on a private LAN using either a direct connection to an Internet connected network (tcpip mode), certain cable modems (dhcp mode) or a pppoe connection to the Internet (T-DSL) Dial on demand for pppoe DNS server or forwarding. The DNS server can host your complete LAN and acts as caching DNS server for Internet connections DHCP server for the private LAN FTP server to host small files SSH daemon, allows you to securely (with public key encryption) access your LAN or even the desktop of your LAN hosts from wherever you are over the Internet, including secure encrypted file transfer with secure ftp nfs and samba clients to mount Linux or Windows filesystems on your dbox, therefore making them available to the secure ftp server DynDNS support Imon command interface (pppoe only): Enables you to use various imon clients from the fli4l disk router project with your dbox2 router to trigger manual dial/hangup, shutdown/reboot your router and to monitor data transfer rates and CPU load of your dbox2 router Most Linux iptables features, for example: Firewall (you have to configure it yourself though) Port forwarding (if configured). Examples for ftp, http and icq port forwarding included Support for "transparent hosts": A transparent host is a host on the internal LAN that appears to be directly connected to the Internet, meaning all ports can be used for incoming connections, although it is using NAT. You can either configure one hosts, that's visible from the whole Internet, or even multiple internal hosts, that each are visible to certain Internet hosts only. Dial and hangup the Internet connection with your remote control (pppoe mode only) TV watching: Neutrino July 27th, 2002 History ------- V0.8: Initial release: PPPOE Router only V0.9 – 21-Dec-01: added Neutrino GUI 12-Dec-01 V1.0.14 – 08-Jan-02 updated Neutrino to 1.0.14 added EliteDVB 26-Dec-01 added C64 Emu added LCD startmenu make ftpd secure: On the earlier images you could logon with ftp as root without a password. This is now fixed. The toplevel ftp directory is now the root directory of the dbox2. mtd partition sizes changed: From now on I’ll only use as much space as needed for the cramfs and leave the rest to the jffs2 fs added EliteDVB settings editor eZapWizard to the distribution: thanks to Locutus of Borg V 1.0.15 – 18-Jan-02 Updated Neutrino to 1.0.15 added dial-on-demand option (yes, I know, I said, I wouldn’t...now it’s there anyway) added imon command interface added DNS server added option to make the dbox2 ftp server available to users on the Internet use tmpfs instead of ramfs, because ramfs lacks support for size limitation of the ram filesystem (which is needed for safe FTP server operation, especially, if you want to allow uploads) V 1.0.17 – 03 Feb 02 Updated Neutrino to 1.0.17 exton and extoff Skripts now work on Sagem and Philips also fixed timezone skripts for switching LNB voltage and tone from the command line added rcmenu: start skripts from your remote control fixed problems with Sagem 1xI LED support for Nokia V 1.0.17b – 05 Feb 02 Support for WinZapit V 1.0.19 – 18 Feb 02 – Stability release SAT TV / Neutrino Updated Neutrino to 1.0.19 Bugfix: jffs2 filesystem erase bug use more conservative timeout settings in Neutrino fixed AV Sync (Neutrino only) on some channels (BVN, Andalucia TV, TVC INT; Canal Canarias, Fox News, RTS SAT) allow reception of all free French & Spanish radio stations in Neutrino (standard Neutrino allows only 10 apids per service). Some problems remain with the layout show names of French & Spanish radio stations in the Select Language menu in Neutrino V 1.0.19b – 03 Mar 02 New router modes “dhcp” and “tcpip” optional DHCP server Teletext in Neutrino thanks to lazyT “multiple PMT on one pid” bugfix for zapit EliteDVB / EZapWizard replaced by Enigma Satfind and command line client for zapit added V 1.0.19c – 10 Mar 02 Improved rcmenu: it can now start TV GUI and it has a sleep mode, where it doesn’t react to anything but the standby key adjust dbox2 real time clock during boot (satellite only) V 1.0.20 – 22 Mar 02 TV GUI updates: copy protection on SPDIF switched to “one copy allowed”, SPDIF mute in Neutrino, Audio Mode (stereo, mono left/right) in Neutrino, EPG Cache and PCR pid support in Enigma V 1.0.21 – 08 Apr 02 add identd forwarding configuration to /etc/rc.config update Neutrino & Enigma V 1.0.21a – 19 Apr 02 added streaming (should work, only tested audio) Tuxtxt upgraded to version 1.9: now supporting caching of subpages and split screen text/picture (thanks to LazyT) add configuration variables for LNB LOF frequencies to rc.config, fixing problems with receiving high frequency transponders from ASTRA on Nokia (sorry, still no fix for Sagem) updated busybox (some improvements for vi) V 1.1.0 – 28 Apr 02 added ssh server: allows you to login securely (with public key encryption) from the outside (Internet) into your LAN, including secure file transfer via sftp (secure ftp) added Samba client: allows you to mount Windows 95/98/NT/2000/XP shares on your d-box, therefore making them available for secure file transfer via sftp/ssh Neutrino, Enigma and driver update (PIG not working at the moment) removed C64 Emu (no space left in flash) V 1.1.0a – 08 May 02 new ppcboot for 2-flash dbox2 (hopefully fix display problems on some Nokia) replaced ftp server with pure-ftpd support configuration of portforwarding for multiple ICQ and/or IRC clients and one eDonkey client on the internal LAN through /etc/rc.config wake on LAN Improved Sagem and Nokia tuner drivers (Sagem should work now on ASTRA MTV and ORF transponders and both can at least receive some SCPC channels) V 2.0.0beta – 29 May 02 new 2.4.19pre8 – there still might be some broken features – therefore consider this version to be BETA and report everything to http://tuxbox.berlios.de/forum/ kernelspace pppoe driver is now capable of MSS clamping, therefore using it as the default driver Neutrino upgrade to cvs version May 28, 2002 removed Enigma (no space in flash left) readded C64 Emu V 2.0.1beta – 06 Jun 02 Samba server TuxTxt Update V 2.0.1a beta – 09 Jun 02 gtx streaming fix by tmbinc V 2.0.1b beta – 14 Jun 02 Teletext via VBI works, thanks to lazyT V 2.0.1c beta – 20 Jun 02 Bugfix – Kernel pppoe driver broken – Workaround: use rp-pppoe V 2.0.1d beta – 11 Jul 02 small fix in /etc/init.d/loadAllDrivers: On Nokia cable boxes, the tuner driver didn’t load when inversion was switched on V 2.1.0 – 19 Jul 02 ATTENTION: the manner in which you have to combine the ppcboot loader with the actual router image has changed in this release. Please read the chapter “Software installation” again added screen – a virtual screen manager for telnet/ssh logins auto inversion on Nokia cable driver update Sagem cable driver some zapit improvements for “channel not available” new ppcboot featuring boot logos (anyone want to design a nice router logo?) Kernel 2.4.19-rc1 V 2.1.0a – 27 Jul 02 Neutrino plugins for Satfind and Wake-On-Lan added, please add MAC address for WOL in /etc/ether-wake.conf V 2.1.1 – 02 Aug 02 new ppcboot, hopefully fixing some boot problems Kernel 2.4.19-rc4: Kernel PPPoE driver working again V 2.2.0 – 09 Aug 02 Kernel 2.4.19 final removed Samba server (but not client) and C64 Emu added support for Virtual Private Networking (PPPoE only) added tcpdunp added top added automatic loop through of VCR AV signals if dbox2 is in Router only mode V 2.2.0a – 10 Aug 02 fix a security hole new rc.config variable to deactivate VPN if not needed new rc.config variable to turn syn flooding protection on/off V 2.2.1 – 14 Aug 02 update Neutrino + drivers add isdnmond: when using dbox2isdn 1.0 on a Windows PC, incoming ISDN calls will be displayed on the LCD Display, when in Router only mode V 2.2.1a – 15 Aug 02 small fixes in isdnmond V 2.2.1b – 21 Aug 02 make parsing of dbox2isdn’s http messages less strict in isdnmond V 2.2.1c – 04 Sep 02 support multiple donkeys on the LAN configure MTU of internet connection through rc.config V 2.2.1d – 02 Oct 02 Philips boot fix Satfind and non-Astra symbolrates working on Philips V 2.2.1e – 05 Dec 02 added ReceiveWindow Config added HTB bandwidth control, this is totally untested and undocumented, for more information see German computer magazine c’t issue 24/2002, page 224 V 2.3.0 – 24 Jan 03 Kernel 2.4.20 Added scanTP – a small command line tool to do a manual channel scan on a single transponder V 2.3.1 – 11 Feb 03 Tuxtxt 1.4x TuxNews 0.4 V 2.3.2 – 21 Feb 03 fix driver issues with Nokia cable box new TuxTxt Hardware Installation --------------------- As you probably noticed, the dbox2 has only one network card. So, to be able to use the dbox2 as a router, you have to use a twisted-pair hub or switch and connect the dbox2, all your LAN hosts and the DSL or cable modem to this hub. If your DSL or cable modem was connected directly to the network card of one of your LAN hosts up until now, you’ll have to connect it to the uplink port of your hub. If your hub doesn’t have an uplink port, you’ll have to use exchange the TP cable between the DSL or cable modem and the hub. The new cable must be either a crossed one or a straight one (depending on what you had up until now, you’ll need the other one, for T-DSL it should be a crossed TP cable). To connect to your dbox2 via the serial port, you’ll need a crossed serial cable (null modem cable). Software Installation --------------------- First, you have to create an image suitable for your dbox2. You have to append dbox2Router.img to the correct ppcboot.xf.img. ppcboot.1f.img is for Sagems with one flash chip, ppcboot.2f.img is for all boxes with 2 flash chips. Choose the correct one for your dbox2 and append dbox2Router.img to it. Linux: cp ppcboot.xf.img 13.img cp dbox2Router-x.x.x.img 13.img cat dbox2Router-x.x.x.img >>13.img Windows: copy /b ppcboot.xf.img+dbox2Router-x.x.x.img 13.img 13.img should now have exactly 8.257.536 bytes. Flash this file into your dbox2. If you need instructions on how to do that, go to http://tuxbox.berlios.de/flash and read the install.txt from there. If you prefer to do it with Windows, take a look here: http://www.dbox.feldtech.com TCP/IP Basics ------------- There seem to be people out there, who don’t know this stuff. Why they think, they just have to use this router under these circumstances is beyond me... So, you’ll have to learn about TCP/IP networking basics before anything in this readme makes any sense to you. Here’s a very good book on the subject (and it’s free!): http://www.oreilly.com/catalog/linag2/book/ Configuration ------------- Well, after installation just let it boot out of the flash. You will have a serial console at 9600 bit/s 8N1. You can also login via telnet. The initial IP address of the dbox2 is 192.168.40.21, root password "dbox2". I suggest to use passwd immediately to change the root password. The ftp server running on the dbox2 is always running in internal mode after booting. Internal mode means, it will not be accessable from the Internet and you can log on to the FTP server as root to upload ucodes and channel settings. Keep in mind that you’ll start at the root directory of your dbox2 after a successful ftp login. This is contrary to other dbox2 images, where the ftp server lets you access /var only. You can also mount filesystems via nfs and also Windows Shares (see “ Using ssh/sftp/samba client for secure access to your LAN from the Internet”). There is a vi-Editor installed on the dbox2 to change all the configuration files directly on the box. /etc/rc.config -------------- This is where you change the most basic configuration parameters of your dbox2. Reboot to effect changes unless otherwise noted. DBOXIP - the IP address of your dbox2 on the internal LAN. HOSTNAME - the hostname of your dbox2. NETWORK – your LAN network. Should be a bitwise AND of your DBOXIP and the NETMASK. NETMASK – netmask of your LAN network BROADCAST – broadcast address of your LAN network MTU – maximum transfer unit (1500 should be fine) INET_MASQ – IP/netmask of the hosts in your internal LAN you want the dbox2 to provide routing services for (e.g. what hosts to masquerade). ROUTER_PROTOCOL – selects the router mode. pppoe is for pppoe connections, tcpip is for connecting to LANs already on the Internet, dhcp is basically the same as tcpip, but with automatic configuration through DHCP (use it with certain cable modems for example) ENABLE_SYN_FLOODING_PROTECTION - Normal TCP/IP networking is open to an attack known as "SYN flooding". This denial-of-service attack prevents legitimate remote users from being able to connect to your computer during an ongoing attack and requires very little work from the attacker, who can operate from anywhere on the Internet. If you say yes here, the TCP/IP stack will use a cryptographic challenge protocol known as "SYN cookies" to enable legitimate users to continue to connect, even when your machine is under attack. There is no need for the legitimate users to change their TCP/IP software; SYN cookies work transparently to them. ISP_NAME – Name of your internet service provider. This is, what is displayed in imon clients. It has no effect on any of the router’s functions (pppoe mode only) ISP_COST – cost per minute for your Internet connection. Will be used by imon clients (pppoe mode only) ISP_CHARGE_INT – charge interval in seconds for your Internet connection. Will be used by imon clients (pppoe mode only). ISP_USER - username for your connection to the Internet (pppoe mode only) ISP_PW - password for your connection to the Internet (pppoe mode only) ISP_MTU – MTU for the pppoe internet connection. Use 1492 for T-Online and 1454 for Mediaways (Callandro/Expressnet/T-Link). Remember on most flatrates, you’re not allowed to have more than one PC in your LAN accessing the Internet the same time ISP_RCVWIN – receive window for the Internet connection. Should be ((ISP_MTU – 40) * x) < 65536. With this, you can tweak your Internet connection to its limits. Usually a high value is recommended for interleaved ADSL connections such as T-DSL in Germany. ISP_SNDWIN – send window for the Internet connection. Should be ((ISP_MTU – 40) * x) < 65536. USE_KERNELLEVEL_PPPOE – KERNELLEVEL DRIVER CURRENTLY BROKEN, SO DON’T CHANGE choose to run either the user level or the kernel level PPPOE driver. The kernel driver is uses less cpu time. DIALMODE – off, manual or auto. Auto is dial-on-demand. See DNS for additional configuration necessary to use dial-on-demand. This is the dialmode used after booting. It can of course be changed at any time with an imon client (pppoe mode only) PING_DELAY - see Locking the Internet connection below (pppoe mode only) PPP_IDLETIME - timeout in seconds after which the dbox2 closes the Internet connection automatically if there's no traffic (pppoe mode only) TCPIP_INET_IP – IP address of the router on the public Internet connected network (tcpip mode only) TCPIP_INET_NETMASK – netmask of the public network (tcpip mode only) TCPIP_INET_BROADCAST – broadcast address of the public network (tcpip mode only) TCPIP_INET_GW – gateway or default route of the public network (tcpip mode only) TCPIP_INET_DNS – DNS server of the public network (tcpip mode only) TCP_INET_MTU – maximum transfer unit for the public network (tcpip mode only) DNS – set to forward for DNS forwarding (as in earlier images) or to server to use the new builtin DNS server. Dial-on-demand will only work with DNS set to server. If you set it to server, you have to give your LAN domain a name and list all your LAN hosts in domain.conf. If you want to use dial-on-demand, you also need to supply at least one valid DNS server of your ISP in domain.conf. DHCP – If set to yes, a DHCP server for the private LAN will be started on the router. You have to list all clients in /etc/domain.conf and list their Ethernet MAC addresses as third parameter. Be careful when you’re running the DHCP server in dhcp router mode. If you’re ISP’s dhcp server doesn’t ignore unknown clients completely, you might run into problems. DHCP_RANGE – if you want to use dynamic IP address assignments on your private LANs. By default only static assignments are provided to known clients that are listed in /etc/domain.conf. See third party dhcp documentation and change default DHCP behaviour in /etc/dhcp.conf.generic if you want to use dynamic IP address assignments DHCP_DEFAULT_LEASETIME – default leasetime of IP address in seconds DHCP_MAX_LEASETIME – maximum leasetime of IP address in seconds SSHD – start the ssh daemon when booting. This has to be set to yes, if you want to be able to access your LAN from the Internet. SSH_ACCESS_FROM_INTERNET – allow connections to be made from the Internet to the ssh daemon on the dbox2. With ssh, all communication is done encrypted, so the only security risk here is, if you leave or loose your private key somewhere. This has to be set to yes, if you want to be able to access your LAN from the Internet. See “Using ssh/sftp/samba client for secure access to your LAN from the Internet ” for more information. FTPD_SIZE – size of the tmpfs used for the ftp server (for example 8M) FTPD_CREATE_PUBLIC_UPLOAD_DIR – creates a public upload directory to which anonymous ftp users can upload files. WORKGROUP – this is the name of your Windows workgroup for the samba client. If your running a German windows and haven’t changed it, the name is probably “ARBEITSGRUPPE”. NETBIOS_NAME – the name of your dbox2 within the Microsoft Network IMOND_PASS – password for user access to imon features. If left blank, no password is needed. See imon section for more information (pppoe mode only) IMOND_ADMIN_PASS – password for admin access to imon features (pppoe mode only) IMOND_DIAL – if set to yes, imon allows you to dial a manual Internet connection in imon user mode. If set to no, you’ll need IMOND_ADMIN_PASS (admin access only) to do so (pppoe mode only) IMOND_HANGUP – same for manually shutting down a Internet connection (pppoe mode only) IMOND_SETDATE – allows to set the date/time of the dbox2 through imond (pppoe mode only) IMOND_LCD – same for the lcddark and lcdoff commands, see imon section (pppoe mode only) IMOND_SCART – same for SCART throughput control, see imon section (pppoe mode only) IMOND_FTPD_STATE_CHANGE – same for ftp server mode selection. See imon and ftpd section (pppoe mode only) IMOND_DYNDNS – same for dyndns updates (pppoe mode only) USE_DYNDNS - use the DynDNS client to update your IP address on the DynDNS server everytime you dial in. You have to run "ddup --makeconf" once and enter your DynDNS username/password before you can use this feature. Redial your Internet connection to effect changes (pppoe mode only) DYNDNS_HOSTNAME - your DynDNS hostname you want to update. USE_VPN – turn VPN support on or off USE_FTP_FORWARDING – forward any incoming FTP connections to a host in your LAN. This will be disabled while the ftp server on your box is running in external mode. FTP_FORWARDING_HOST – IP address of the host, you want to forward incoming FTP connections to. USE_HTTP_FORWARDING – forward any incoming HTTP (WWW) connections to a host in your LAN. HTTP_FORWARDING_HOST – IP address of the host, you want to forward incoming World Wide Web connections to. USE_IDENTD_FORWARDING – forward incoming ident requests on tcp port 113. Necessary for some IRC servers. IDENTD_FORWARDING_HOST – host to forward ident requests to USE_ICQ_FORWARDING – forward incoming ICQ connections to one or multiple hosts in your LAN. ICQ_FORWARDING_N – number of ICQ forwardings, you want to configure (one for every machine on xour LAN that will be running an ICQ client) ICQ_FORWARDING_HOST_X – X=1,2,3,...N. IP address of one of the hosts, you want to forward incoming ICQ connections to. ICQ_FORWARDING_PORTRANGE_X – X=1,2,3,...N. A range of ports you want to forward to one of the hosts. Port ranges are not allowed to overlap with port ranges for other hosts or any other port forwardings. You also have to configure the ICQ client on the LAN host to listen for connections on this exact same port range. An example would be 5010:5030, this would forward ports 5010 through 5030. IRC_FORWARDING_N – number of IRC forwardings, you want to configure (one for every machine on xour LAN that will be running an IRC client) IRC_FORWARDING_HOST_X – X=1,2,3,...N. IP address of one of the hosts, you want to forward incoming IRC connections to. IRC_FORWARDING_PORTRANGE_X – X=1,2,3,...N. A range of ports you want to forward to one of the hosts. Port ranges are not allowed to overlap with port ranges for other hosts or any other port forwardings. You also have to configure the IRC client on the LAN host to listen for connections on this exact same port range. An example would be 4900:5000, this would forward ports 4900 through 5000. USE_EDONKEY_FORWARDING – forward incoming Edonkey connections EDONKEY_FORWARDING_N – number of Edonkey forwardings EDONKEY_FORWARDING_HOST_X – X=1,2,3,...,N. IP address of one of the hosts to forward Edonkey connections to EDONKEY_FORWARDING_TCP_PORT_X – X=1,2,3,...,N. TCP port to forward for eDonkey client. If you’re only using one eDonkey client, leave it at 4662. Otherwise you have to setup the additional eDonkey clients to match the port number given here EDONKEY_FORWARDING_UDP_PORT_X – X=1,2,3,...,N. UDP port to forward for eDonkey client. If you’re only using one eDonkey client, leave it at 4665. Otherwise you have to setup the additional eDonkey clients to match the port number given here USE_TRANSPARENT_HOST - make use of the transparent host feature, that's preconfigured in iptables.conf TRANSPARENT_HOST - the internal IP address of the host you want to be accessible for incoming connections from the Internet. START_ISDNMOND – start the ISDN monitor daemon, it will display CLIP on incoming ISDN calls on your dbox2 LCD display in router only mode when running dbox2info on your Windows PC LOAD_TV_DRIVERS – TV drivers will be loaded at boot time if set to yes AND ucodes are available. STARTMENU_AUTOSTART – brings up the LCD startmenu each time the box boots. If set to no, the box will enter Router only mode by default. Only works if TV drivers were loaded. You can also start the TV GUI manually with the starttv script. TV_GUI – this GUI is started when running the starttv script. RCMENU_AUTOSTART – starts rcmenu (see below) automatically, when no TV GUI is started RCMENU_STANDBY_KEY – determines the function of the standby key of your remote control while no TV GUI is running and RCMENU_AUTOSTART is set to yes. Possible options are halt (shuts down the dbox2), quit (quits rcmenu), sleep (puts rcmenu in sleep mode so it won’t react on anything until you press the standby key again) and none (no function). AUTOMATIC_VCR_LOOPTHROUGH – if set to yes, the AV signals from the VCR scart will be routed to the TV scart when in router only mode LCD_LUMINANCE – hexdecimal value for the LCD display luminance used by the lcdon skript (see below). af should be the maximum value used (Beta Research firmware uses it), everything beyond that is at your own risk. /etc/domain.conf ---------------- This must be set up correctly before you can use the DNS and/or DHCP servers on the box and dial-on-demand. DOMAIN_NAME – set the name of your LAN domain. You can enter pretty much everything, it won’t be visible from the Internet. Enter the domain part only, for example if one of your LAN hosts is called frodo.middle.earth you would only enter middle.earth here. DNS_FWD_N – number of DNS forwarders, see DNS_FWD_x (pppoe mode only) DNS_FWD_x – IP address of a valid Internet DNS server available to you. You’ll need this, when using dial-on-demand for DNS resolution of your first request. Because in dial-on-demand mode the dbox isn’t online yet, when you’re making your very first request, you haven’t gotten any DNS servers from your ISP yet. That’s why you have to provide at least one manually. It will be overridden by the DNS servers, your ISP provides during dialin, as soon as the connection is made. Don’t bother, if you’re not using dial-on-demand (pppoe mode only) HOSTS_N – number of hosts in your LAN HOST_x – enter all your LAN hosts here, except the dbox2 itself. The format looks like this: ‘ ’. So, for example: If frodo.middle.earth is your fifth host and has the IP number 192.168.55.5 and the Ethernet MAC address 00:01:02:03:04:05, you would enter the line: HOST_5=’192.168.55.5 frodo 00:01:02:03:04:05’. /etc/iptables.conf ------------------ This has been split into /etc/iptables.pppoe.conf (for pppoe mode only) and /etc/iptables.dhcp.conf (for dhcp and tcpip modes). Here you can setup advanced firewall or advanced transparent hosts features, if you like. iptables.conf is actually a script that runs multiple iptables commands at boot time. Take a look at the file, there is at least some information on the setup I use. You'll see for example, that all access to your router from the Internet will be blocked for security reasons (you can still access it from your LAN of course). For more information on how to use iptables to configure a firewall, read the manual page of iptables (no, it isn’t on the router only on your normal linux computer) and the iptables howto, that’s available on the Internet. Start an Internet connection -------------------------------- This applies to pppoe mode only. In dhcp and tcpip modes, the router is always “online”. There are four ways to start a connection: 1. Login as root and run the startnet script. 2. Use an imon client to dial a connection. 3. Setup dial-on-demand in /etc/rc.config and the router will dial automatically. 4. If RCMENU_AUTOSTART is set to yes and no TV GUI is started, press the + key on your remote control. Stop an Internet connection -------------------------------- This applies to pppoe mode only. In dhcp and tcpip modes, the router is always “online”. Again, there are four ways: 1. Discontinue to transfer any IP packages over the link and it will go down after PPP_IDLETIME, you have configured in /etc/rc.config 2. Use the imon client to hangup the connection. 3. Login as root and run the stopnet script. 4. If RCMENU_AUTOSTART is set to yes and no TV GUI is started, press the - key on your remote control. Please keep in mind: While using dial on demand, the link might come right back up when you shut it down manually while data transfers are in progress. Locking the Internet connection (pppoe mode only) ------------------------------------------------- Use this if you want to keep the router from disconnecting after PPP_IDLETIME. This is also useful if your ISP implements some kind of idle timeout. Basically, the router sends out a ping every PING_DELAY (see rc.config) seconds to the first DNS server of your ISP. Login as root and run the locknet script on the serial console. The router will continue to ping until you log out or close the telnet connection. You can also run the unlocknet script to kill the ping task. A word of WARNING though: Please do not set PING_DELAY any lower than absolutely necessary, because this produces a lot of unnecessary traffic to your ISP’s DNS server (that’s not, what it’s supposed for). Increase PPP_IDLETIME instead. There isn’t really any necessity for low PING_DELAY values unless your ISP has a very nasty idle timeout. Client setup ------------ This is the same as for any other NAT routing solution: Set the defaultroute and the DNS server to your dbox2's internal IP address. If you have a lot of hosts on your LAN I recommend to use the DNS server on the box (no more bloody hosts file editing...) Getting information on the Internet connection (pppoe mode only) ---------------------------------------------------------------- Just use an imon client. It will display IP address, online time, current data transfer speed, CPU load and other useful information. Imon (pppoe mode only) ---------------------- imon is a client/server protocol used by the fli4l project (http://www.fli4l.de), which is available under the GPL. It is used to control the and get information from the router from any other LAN host. I will only give a short introduction to get you going, for more information please read the imon documentation, which is available here: http://www.fli4l.de/german/extern/docu/stable/doc/english/html/8kap_en.html (english) or here http://www.fli4l.de/german/extern/docu/stable/doc/deutsch/html/8kap.html (german). The imon daemon (or server) is called imond and runs on the dbox2. It listens for incoming connections from imon clients, called imonc, on TCP port 5000. Imonc’s are available for both Windows and Linux from the fli4l Homepage. The protocol itself is human readable, so you can also telnet to TCP port 5000 and give commands to imond manually. For example: telnet dbox 5000, then type help to get a list of available commands. Type help to get information on what each command does. Depending on your configuration of IMOND_PASS and IMOND_ADMIN_PASS, you have to enter the appropriate password first, using the pass command, before some commands are available. If IMOND_PASS is left blank, you are in user mode immediately after you connect. Otherwise you have to enter either IMOND_PASS or IMOND_ADMIN_PASS before you are allowed to do anything. After entering IMOND_PASS you’re in user mode, after entering IMOND_ADMIN_PASS you’re in admin mode. You can configure in /etc/rc.config if certain commands are available in user mode or in admin mode only. If you already know fli4l, don’t expect every command, that works with a fli4l router, to work with the dbox2 as well. For example, I deactivated commands for transfering files to the router or deleting files on the router to keep clients from doing any harm on the dbox, because the structure of the root filesystem on the dbox is somewhat different from that on a fli4l router. So any remote configuration of the router through imon is likely to fail. On the other hand, there are a couple of extra commands: lcdoff will turn off the LCD display, lcdon will turn it back on again. exton will switch the input signal on the VCR scart through to the TV scart output. extoff does the opposite and lets you watch TV again. dyndns triggers a dyndns update. And with ftpdext and ftpdint you can switch between internal and external mode of the dbox’s ftp server. See the next section for details. Also, contrary to the standard fli4l imond, user/admin only access to dial and hangup commands can be configured independently. So, for example, you can allow users to manually dial a connection, but don’t allow them to hangup a connection manually. The date command now also allows to set the time of your dbox2. FTP-Server on the dbox2 (ftpd) ------------------------------ The ftp server on the dbox now knows two modes of operation: Internal and external. Internal mode is what you already know from past router versions: You can login as root and upload ucodes, settings and so on to your dbox2. Access from the Internet to the ftp server in internal mode is disabled for security reasons and ftp port forwarding is enabled, if you set it up in /etc/rc.config. In external mode, the ftp server on the dbox is made available to incoming connections from the Internet. Root logins are automatically disabled in external mode. FTP port forwaring is also disabled, while you’re running the dbox2 ftp server in external mode (there can’t be two servers on the same IP address at the same time). Anonymous logins are allowed in external mode, anonymous ftp users see /tmp/ftp as their root directory. /tmp/ftp is a tmp filesystem of 12 MB maximum size residing in the RAM of the dbox2. So all contents will be lost, when you reset or shutdown your dbox2. After booting the ftp server is always in internal mode. Since you have to upload contents to /tmp/ftp as root in internal mode first anyway, there is no point in making an extra config variable for this. To switch to external mode, type ftpdext at the command line or give this command to imond. ftpdint changes back to internal mode. Changing back to internal mode will reactivate ftp portwarding if activated in /etc/rc.config. So, you can easily switch between a ftp server running on a host in your LAN (with a bit more space than just 12 MB) and the ftp server on your dbox2. Please keep in mind, that all ftp transfers are not unencrypted, therefore using the ftp server to access mounted nfs or Windows shares (see next chapter) from the Internet is a huge security risk, not just are the files sent unencrypted, but the password is also sent unencrypted, so anyone with a network sniffer could easily get it. So do yourself a favour and use ssh/sftp for this purpose only (see next chapter). Using ssh/sftp/samba client for secure access to your LAN from the Internet --------------------------------------------------------------------------- Sometimes you might want to be able to access your LAN from the outside world, for example from your place of work. This can now be done in a secure way using the secure shell, also known as ssh. This chapter is for people, who are already familiar with the concepts of ssh and public key encryption and only covers how to set it up on the dbox2 router. The dbox2 is running a sshd from the openssh package. All the configuration of the sshd on the dbox2 is done through the file /etc/ssh/sshd_config. Initially the sshd is set to accept ssh protocol version 2 only and to accept public key authentication only. If you want to change the default behaviour, read the sshd manual page (no this isn’t on the dbox, you have to install the openssh package on your Linux computer to read it). To be able to access your LAN from the outside, follow these steps: 1. In /etc/rc.config: Set SSHD=yes and SSH_ACCESS_FROM_INTERNET=yes and reboot. 2. Make sure the dbox2 is online and stays online (for pppoe connections use locknet). 3. Make sure to remember the Internet IP address of your dbox2 (probably best to use dyndns). 4. Login as the user, you want to be able to access your dbox with from the outside (most probably root). 5. Generate a rsa public key pair by entering “ssh-keygen –t rsa” on the dbox console. Save the keys to the suggested location. Enter a good passphrase to protect your private key. 6. Enter “cd ~/.ssh” on the dbox command line. 7. To be able to use this newly generated key to access the dbox2, you have to append the public key to the authorized_keys2 file by entering “cat id_rsa.pub >>authorized_keys2” on the command line. 8. Make sshd read the new authorized_keys2 file by entering “killall –HUP sshd” on the command line. 9. The other file id_rsa is your the private key, which will now grant access to your dbox2 via ssh. It must be kept secret. For example copy it to a diskette to take with you, but keep safe at all times. Remember, anyone, who can access this file and knows the passphrase can access your dbox2. You probably have to ftp this file first from your box to your host computer to be able to put it on a disk. You can also mount a Windows or Linux filesystem on your dbox2 and copy it to one of LAN computers (see below). 10. Delete the id_rsa and id_rsa.pub files from your dbox2. They’re not needed there and pose a security risk if you leave them. On the dbox command prompt type “rm ~/.ssh/id_rsa” and “rm ~/.ssh/id_rsa.pub”. Also delete any temporary copies on your LAN computer, you used, to write id_rsa to a diskette. Now you should be all set. To access your dbox2, use any SSH protocol version 2 client and the private key file on your diskette. For example, I use the openssh package on Linux systems or a client called PuTTY (http://www.chiark.greenend.org.uk/~sgtatham/putty/) on Windows systems. The ssh package also comes with an file transfer client, that uses a secure ssh connection to transfer files. It is called sftp (Secure FTP). The PuTTY client for Windows has a similar tool called psftp. Both are command line clients, that use the same basic commands as ftp to transfer files. Of course, to be able to access more than your dbox2 filesystem with sftp, you have to first mount filesystems from you LAN computers on your dbox2. Linux users just use nfs in the usual way, Windows users have to set up the samba client. So, you’ll have to set up at least WORKGROUP in /etc/rc.config to the same workgroup name, you use on your Windows machine. Then share the filesystems, you wish to access, like you normally would with the Microsoft Network. To mount these “Shares” on the dbox2, enter “mountshare on your dbox2 prompt. For example, if your Windows computer “frodo” shares a filesystem called “bilbo” (under Windows, you would access this share with //frodo/bilbo) and the Windows user, who’s allowed to access this share is called gandalf, you would enter “mountshare frodo bilbo gandalf /mnt”. To unmount all mounted Windows shares, use the command umountshares. ssh also allows to tunnel other (normally unsecure) network protocols through the encrypted ssh connection, therefore making their use safe. For example, you could use VNC (http://www.uk.research.att.com/vnc/) to export your Windows or Linux X-Windows Desktops from you LAN computers and access them from the outside (much like PC-Anywhere, but using free software only). Configuration of this tunneling (most ssh clients call this port forwarding) is done only on the client, so there’s no need to set anything special up on the dbox2. For example, if you’re running a VNC server on your Windows computer called frodo with diplay id 0 (therefore using port 5900) and want to access this from the Internet with a Linux client, you would first type “ssh –L 5901:frodo:5900 ”. After the ssh connection has been established, port 5901 (VNC display id 1) of your client machine is forwarded through the secure ssh connection to the VNC server of frodo in your LAN. Now you can connect to your VNC server on frodo by simply runnging “vncviewer localhost:1”. Please read the VNC documentation on how exactly VNC display ids map to tcp port numbers and how you can even connect to your LAN computer’s desktop with a simple java-enabled web browser. Wake on LAN ----------- The dbox router now also supports sending wake on LAN ethernet frames to other hosts. For example, you can login from anywhere on the Internet into your dbox2 router via ssh and then startup your PC at home. Just type “wakeup on the dbox2 command line. If you list the MAC addresses of your hosts in /etc/domain.conf, an environment variable called mac_hostname will be automatically created for each of the hosts in /etc/domain.conf. You can then also use wakeup $mac_hostname and don’t have to remember the MAC addresses of your hosts. VPN – Virtual private networking -------------------------------- With VPN you can connect for own private network to another (or multiple) other private networks transparently. It will look like a direct connection, although all the data traffic will be encrypted and routed through the internet. For detailed information, go to http://www.freeswan.org/ VPN will be configured through /etc/vpn.conf. All options are documented in that file. For VPN to work, it’s mandatory for both ends to be reachable under a constant fully qualified domain name. I suggest to use http://www.dyndns.org to accomplish that. There are three scripts provided to start/stop VPN connections: vpnprepare vpninitiate vpnshutdown To start the VPN both ends have to be connected to the Internet and have their dyndns entries updated, so all IP address will be known, before running vpnprepare or vpninitiate. Then, one end has to run vpnprepare and AFTER THAT the other end has to run vpninitiate . It’s necessary to exactly do things in this order, otherwise the connection will fail. I also suggest to generate our own RSA keys to protect the connection. Unfortunately, this can’t be done on the dbox2 at the moment. So, if you have a linux machine, install Freeswan there and run “ipsec rsasigkey” and copy/paste the appropriate private and public key parts to /etc/ipsec.secrets and /etc/vpn.conf. Screen – A virtual text screen manager -------------------------------------- With screen you can emulate several virtual screens on one telnet or ssh login console. The big advantage is, that you can detach from a screen without ending the application, you’re running on that screen. You can then end the ssh or telnet connection and your application on the detached screen will still continue to run. You can then later reattach that screen on another telnet/ssh login shell and see the results of the application you were running. Another advantage is that you can grab the dbox2 kernel console onto a virtual screen. This might be useful, if you want to take a look at the kernel console from another computer than the one, you’ve connected the dbox’s serial cable to by simply opening a telnet/ssh connection, open a virtual screen and then grab the console onto that screen. Okay, how do to all that: To start the virtual screen manager just type “screen” on the console. You’ll then get another busybox shell, which is now running on a virtual screen. To get help about the any of the virtual screen functions, press “CTRL-A ?”. To detach a screen, press “CTRL-A d”. To list all currently available virtual screens, enter “screen –ls”. To reconnect to a screen, that was detached earlier, enter “screen –r ”. You’ll get the ID with the “screen –ls” command. If you’ll just have one detached virtual screen, just enter “screen –r”. To grab the dbox2 kernel console onto a virtual screen, press “CTRL-A :”, then enter “console on” on the command line that appears on the last line of the virtual screen. For further information on screen, install it on your Linux computer (should be available on most Linux distributions) and read the manual and info pages. rcmenu ------ This allows you to start shell skripts by pressing a button on your remote control. Works only, when TV-GUI isn’t running. Use /var/tuxbox/config/rcmenu.conf to set up your own configuration. The format is fairly simple. Just look at the provided example. The left parameter is the remote control key, the first right parameter is the skript to start. Quote this parameter, if it includes any whitespaces. The third parameter (0 or 1) tells rcmenu if it is supposed to shut down after starting the skript. Shutting down rcmenu is necessary to start TV-GUIs, that use the remote control for themselves. All remote control keys except the standby key can be configured here. The default setup of rcmenu looks like this: Key Reaction 0 switches LCDdisplay on and off 1 starts Neutrino + dial pppoe connection - hangup pppoe connection standby shuts down the router completely See RCMENU_STANDBY_KEY in the /etc/rc.config section of this readme for alternative options for the standby key. scanTP ------ scanTP is a small command line utility to scan a single transponder for channels.You have to provide frequency, polarisation, symbolrate, fec and optional DiSEqC satellite number on the command line. Without any command line parameters, scanTP scans the transponder you’re currently tuned to. The output of scanTP can be copy/pasted directly to services.xml and bouquets.xml. fec is 1...5 (1/2, 2/3, 3/4, 5/6, 7/8). DVBTime ------- DVBTime sets the real time clock of the dbox2 at boot time using the DVB satellite signal, if present. You can set in /var/tuxbox/config/dvbtime.conf which transponders should be used for this. Cable currently not supported. ucodes must be available and TV drivers loaded for this to work. Starting TV ----------- Run the starttv script as root. It will start the TV GUI, that’s set under TV_GUI in /etc/rc.config. Or set STARTMENU_AUTOSTART to yes in /etc/rc.config to choose your TV application everytime you boot. You can’t use the serial console, if you start the TV application at boot time. With rcmenu started, you can also press 1 on your remote control for Neutrino. Stopping TV ----------- Run the stoptv script as root or shutdown the GUI in the usual manner. Nokia reception problems on high frequency Astra transponders ------------------------------------------------------------- If you’re experiencing difficulties to receive high frequency transponders on Astra with your Nokia dbox2 (for example MTV Central or VIVA), it’s possible, that the LOF (local offset frequency) of your LNB might be slightly off. In this case, the tuner sometimes can’t lock onto the signal anymore and you don’t get any picture or sound on these channels. If you instead have distorted picture and sound, this procedure probably won’t help you. So, what you’ll have to do is to try and match your LNB’s LOF for the high frequency band with the settings in /var/tuxbox/config/zapit.conf. In order to do that, first tune to an Astra channel, that is working fine (like ARD/ZDF). Then run “afc” on the command line of your dbox2. You’ll see the contents of the afc (automatic frequency control) register of the tuner in your dbox2, which indicates, how much frequency correction was necessary to tune in to the transponder. In the register you’ll find values from 0x00 to 0x7f, where everything from 0x40 to 0x7f are actually negative values (0x7f being –1 and 0x40 being –64). Your goal in the following steps is to bring this register as closely to zero as possible by changing lnbX_OffsetHigh /var/tuxbox/config/zapit.conf (X=0,1,2,3) and restarting zapit/neutrino afterwards. X stands for the DiSEqC address of the LNB you want to change (I don’t have DiSEqC, so I’m only using lnb0_OffsetHigh). Okay, now look at the value you found in the afc register. If it’s negative (for example 0x70 to 0x7f), you’ll have to decrease lnbX_OffsetHigh, if it’s positive (0x01 to 0x0f for example), you’ll have to increase lnbX_OffsetHigh. Don’t change LNB_HIGH_LOF by steps greater than 2000 with every attempt you make (so you first step would be either 10598000 or 10602000). If you don’t get any signal at all after changing LNB_HIGH_LOF undo your last change. You won’t be able to get the afc register exactly to 0x00 on every channel, but everything between 0x7e and 0x02 should be quite alright. Now test the channels, you had problems with before, they should work fine now. Convenient scripts ------------------ The following scripts can be run by root while the dbox2 is online. dyndns – update DYNDNS settings once for this session only (if you don’t use DYNDNS by default). No arguments. killtask – lists all running tasks and asks for the number of the task to kill. No arguments. pfon/pfoff - setup/delete port forwardings. Both scripts take 3 arguments: Protocol (tcp or udp), port and IP of the destination host. Port forwarding overrides any transparent host settings for these ports. thon/thoff – add/remove a transparent host. Both take a single argument, the transparent hosts IP address. localon/localoff – add/remove access to a port on the router itself showfilter – lists your current package filter setup shownat – lists your current nat setup Please keep in mind, that pfon, pfoff, thon, thoff, localon and localoff might interfere with additions you have made to /etc/iptables.conf horHigh, vertHigh, horLow, vertLow – switch satelltite band and polarisation, when no TV GUI is running. Useful when you connect a second satellite receiver to the LNB output of your dbox2 lcdon, lcdoff – switches the LCD display on or off Happydude, ICQ #31583685