Banana Pi R as router

[yacc]

Just noticed some ugly detail:

 

1.) the switch is active during boot, and it defaults to all ports on one VLAN.

2.) My laptop is quite agressive when it comes to DHCP, it's connected to one of the local ports of the BPI-R, so it detects immediatly that the ethernet connection goes down and up.

3.) So I end up with the cable modems external IP address on my laptop, and a BPI-R that is unreachable, ...

 

Any idea how to turn off the network switch in the boot loader?

 

TiA,

 

Andreas

 

[wildcat_paris]

@dinokpir

 

I am waiting for my replacement Turris Omnia as a "router"

I am using the Lamobo-R1, my ISP provides internet on VLAN 835 so (in my particular situation) it is less likely someone hijacks the whole Lamobo-R1

 

Anyway, if you know the risks and try hard to lessen the risks, the Lamobo-R1 is usable, a little risky but if you dare to take the risks, ok.

[tkaiser]

1) Correct

 

This is how a router looks like. The router's CPU has access to at least two independent NIC (network interfaces). In case the router is bricked or broken it's still separated what has to be separated (the router is the barrier between WAN and LAN by design):

2) Weird

 

You can use a rather expensive managed switch that supports VLANs to provide almost similar functionality. We need a managed switch with 6 GbE interfaces and define 2 VLANs, the port to the 'CPU' being part of both. With this setup the interface between switch and the CPU will become a bottleneck but since the switch has an own brain/CPU and starts with VLANs enabled (first bringing up the VLANs, then bringing up the ports and therefore NEVER bridging Ethernet frames or IP packets between WAN and LAN) this will work and is only somewhat weird.

3) Impossible

 

If you really want to fool yourself you use a dumb switch that bridges everything between all his ports. If you power on the switch all 6 ports are interconnected since the switch has no own brain/CPU. It's necessary that the CPU nearby gets involved and tells the dumb switch via a so called MDIO interface how to setup VLANs. So it needs the external CPU being booted up approriately to prevent the dumb switch acting as exactly that. In case the external CPU is not available (or bricked or not booted, eg. powered on without SD card with a working OS inserted or even just booting!) everything is forwarded between all switch ports. Which is clearly not what you want since a router that should separate different ports has to separate those even in fault state:

Lamobo R1 implements the latter, a Lamobo R2 using R40 (and given EMAC and GMAC interfaces could be used both at the same time there) could implement the first scenario. The middle scenario is what most R1 owners believe is happening (or they actively fool themselves and think 'hey, the few seconds when the device is booting... who cares that WAN and LAN are bridged?')

 

By adding a simple USB-Ethernet adapter and using this as WAN port you're able to implement 'router behaviour', otherwise not. So It's a simple investion of a few bucks to fix at least the security issue (but then still remain the many other design flaws this board is 'famous' for)

[arox]

"By adding a simple USB-Ethernet adapter and using this as WAN port you're able to implement 'router behaviour'"

 

In fact, with my Internet box, I dont even need an USB/Ethernet adapter as it can do IP over USB with speed greater than DSL link. (OTH I dont rely on standards boot scripts to ensure security and want to have full control over it).

 

I was interested by R1 and I could use it even with its flawed design. But in fact the sale price is then double that what it should be, so I never bought one.

 

And by the way, can it be correctly cooled when you enclose it with a SATA drive in an acrylic box ?

[tkaiser]

In fact, with my Internet box, I dont even need an USB/Ethernet adapter as it can do IP over USB with speed greater than DSL link. (OTH I dont rely on standards boot scripts to ensure security and want to have full control over it).

 

That reminds me of cheap H3 devices available in the meantime. Using a NanoPi NEO or M1 connected with a short Micro USB to USB cable to R1's Type A USB port the H3 device will be powered by Lamobo and can also secure the Internet connection (acting as firewall, VPN acceleration and so on). Simply by using Armbian and the g_ether module on the H3 board (would not even require an SD card since it could be FEL booted by Lamobo).

 

Anyway: since this board is overpriced and shows sooooo many design flaws I would never buy one again. Just checked: ClearFog Pro would cost me twice as much as a R1 (currently 192,-€ including VAT and shipping -- already curious how much Clearfog Base will be). And here I can choose a WiFi card that is not just crap but suits my needs, I can attach up to 3 SATA disks using mechanical converters for M.2 or mSATA slots, have one fast USB3 port to attach a bunch of USB disks, get 3 independent GbE NICs that do not suck but show full GbE performance and so on.

 

The one R1 we use at a customer is the only ARM device I ever had to add a fan to for productive usage (blowing air over the whole board to cool down switch IC, HDD, SoC and PMU in summer)

 

Edit: Nice, ALLNET starts to distribute FriendlyARM products in Europe, some of their partners have already NanoPi in stock (but prices are pretty high if you're not enabled to directly order from ALLNET)

[tkaiser]

Marvell ESPRESSOBin soon on kickstarter starting at $39: http://www.cnx-software.com/2016/09/23/marvell-espressobin-board-with-gigabit-ethernet-sata-pcie-and-usb-3-0-to-launch-for-39-and-up-crowdfunding/

 

WAN and LAN ports are truly separated (the 2 GbE ports behind a switch IC) and I would assume you can turn the mPCIe slot into mSATA and attach another normal SATA using a mechanical mSATA-to-SATA converter or add separate mPCIe-SATA adapters. It needs confirmation whether WAN and LAN ports are connected to the SoC using different paths or all 3 GbE ports are connected to the 88E6141 switch IC.

 

Unfortunately all 3 GbE ports are behind a switch IC which means that I will add a cheap NanoPi NEO via Micro USB as external firewall/VPN/WAN Ethernet dongle. The mPCIe slot can not be turned into mSATA. More information available at the bottom of this page.

[StefanB]

Marvell ESPRESSOBin soon on kickstarter starting at $39: http://www.cnx-software.com/2016/09/23/marvell-espressobin-board-with-gigabit-ethernet-sata-pcie-and-usb-3-0-to-launch-for-39-and-up-crowdfunding/

 

WAN and LAN ports are truly separated (the 2 GbE ports behind a switch IC) and I would assume you can turn the mPCIe slot into mSATA and attach another normal SATA using a mechanical mSATA-to-SATA converter or add separate mPCIe-SATA adapters. It needs confirmation whether WAN and LAN ports are connected to the SoC using different paths or all 3 GbE ports are connected to the 88E6141 switch IC.

 

Unfortunately all 3 GbE ports are behind a switch IC which means that I will add a cheap NanoPi NEO via Micro USB as external firewall/VPN/WAN Ethernet dongle. The mPCIe slot can not be turned into mSATA. More information available at the bottom of this page.

 

According to the available schematics, the switch is configured (via bootstrap pins) to come up in "CPU mode", i.e. all ports come up with disabled links until the switch is configured by the CPU.

 

Actually your assumption in your figure 3 is incorrect, all current switch ICs I know allow bootstrapping to come up in isolated mode on power on. Save any errors by the HW design engineer, it is completely fine to use a switch for isolation.

 

The 2.5Gbps link speed allows to stream 1Gbps to each LAN port concurrently (e.g. some data coming from the SATA port, or the USB 3.0 port, or something else connected to the mPCIe port, e.g. PCIe-to-SATA).

[tkaiser]

Actually your assumption in your figure 3 is incorrect, all current switch ICs I know allow bootstrapping to come up in isolated mode on power on.

 

Well, at least on Lamobo R1 it's not the case. IIRC according to schematic it should be possible but one IC is missing (don't remember exactly and also not where).

 

Thanks for correcting me regarding ESPRESSOBin -- good to know that it should work there (already confirmed? -- with Lamobo R1 it took some time before first users realized the problem and it got documented)

 

Edit: just did a quick search. It's U20 on Lamobo R1 that should be populated but isn't.

[badrianiulian]

Well, at least on Lamobo R1 it's not the case. IIRC according to schematic it should be possible but one IC is missing (don't remember exactly and also not where).

 

Thanks for correcting me regarding ESPRESSOBin -- good to know that it should work there (already confirmed? -- with Lamobo R1 it took some time before first users realized the problem and it got documented)

 

Edit: just did a quick search. It's U20 on Lamobo R1 that should be populated but isn't.

 

If we did want to stick a AT93C66A in there, like the diagram says... what do you have to program this circuit with? Can we get a code from somewere?

[Tido]

Well, at least on Lamobo R1 it's not the case. IIRC according to schematic it should be possible but one IC is missing (don't remember exactly and also not where).

 

I guess you meant a resistor, not an IC. This comment over at github 511 ; solder a 2k2 ohm resister on unpopulated R1308 soldering pads.. 

extract: According to the docs, this pin strapping option affects the Port Control Register and Switch Mode Register which might need additional care by the driver.

 

more about it in the link above

[tkaiser]

I guess you meant a resistor, not an IC

 

I remembered someone else was talking about an EEPROM. Thanks for mentioning the resistor but this doesn't change much. This board is broken in so many regards that it's not worth a look. The whole idea behind (being router and media player at the same time) is so stupid that I still believe the best idea is to simply drop support for this device.

[Tido]

Thanks for mentioning the resistor but this doesn't change much.

 

The whole idea behind (being router and media player at the same time) is so stupid.

Well, I guess a resistor is easier to get and to solder.

 

There are so many things that are stupid to do, and still some people like to do it i.e. eating Donuts (it is stupid because you hardly can stop if you get the right mixture of fat and sugar. Not to start would be the right decision).

And the idea per se is not stupid TK, it is just unsafe to use it as your firewall, router and media player all together.

[tkaiser]

And the idea per se is not stupid TK, it is just unsafe to use it as your firewall, router and media player all together.

 

In other words: you never thought about what you're doing?

 

You can use anything related to the HDMI port only when you use 'legacy' kernel (a somewhat community patched old and outdated vendor kernel made by Allwinner guys that give a shit about anything and especially security) and the graphics stack. GPU/VPU drivers have a pretty high attack surface (see the result of this quick check of NVIDIA drivers) and you don't want to run smelly vendor kernels on anything that should play firewall or router role.

 

So once you use mainline kernel on this device you can already forget about the HDMI port and then it's pretty easy to switch on your brain and to throw the whole device in the bin since there are so many 'real routers' around that can do the job better.

 

How do you deal with this: https://github.com/allwinner-zh/linux-3.4-sunxi/commit/6964d467510849e3e262518cb87bff7ef92e01f5

[chwe]

30 minutes ago, renard said:

Will Armbian support it from stock (stupid question yet I don't know what is the priority and who chooses the platforms to support)?

was still done >1 month ago.. 

 

Edit:

@renard you don't have to delete cause you missed a thread about R2.  Since the search engine isnt't that good I'll recommend the google custom search for you.