The most complete Banana Pi R1 configuration post

It’s been a while since I’ve been active (it was the old forum), I’ve been kept busy on many accounts. So I thought I’d say hello again and start with my latest adventure.

Since I broke my system during upgrade, I had to reinstall, which gave me a good reason to do the write-up again. And now we’re going at it properly and thoroughly: flash > initial setup > system hardening
I have been using a Banana Pi R1 (BPI or Lamobo) for IPFire since… ages. At some point (on the old forum), I did a write-up on the speed challenges I was facing, after which I upgraded to an APU2D4. You might be able to find it somewhere: IPFire Community

The BPI is currently used for testing purposes, unfortunately the theme functionality was discontinued, because I wanted to spend some more time on the dashboard I made. But first, let’s get to business, how do I get this thing running again, as upgrading broke the installation.

Some of the steps can be found on the wiki, just thought I’d take the liberty to make it a little bit more verbose. See original here: wiki.ipfire.org - Lamobo R1

Prepare the SD-card

  1. Format SD-card

  2. Unmount the SD-card, otherwise you won’t be able to write to it
    umount /dev/sdb

  3. XZCAT image to SD-card (note: this might take a while)
    xzcat ipfire-image.img | sudo dd bs=1M of=/dev/sdX status=progress

I wanted to see that the SD-card was actually being written, so I added status=progress to the command.

  1. Mount partition 3 (root filesystem)
    sudo mount /dev/sdb3 /mnt/USB

Replace /mnt/USB with any directory you want to mount to,then browse to /usr/share/u-boot/banana_pi

  1. Flash (DD) sunxi boot filesystem (not to partition, but to the disk) at the start of the card
    sudo dd if=u-boot-sunxi-with-spl.bin of=/dev/sdb bs=1K seek=8

  2. Unmount the root filesystem, and mount partition 1 (boot)
    sudo umount /dev/sdb3 && sudo mount /dev/sdb1 /mnt/USB

  3. Replace the DTBSUNXI reference (sun8i-h3-nanopi-r1.dtb > sun7i-a20-lamobo-r1.dtb)
    sudo sed -i -- 's/DTBSUNXI=.*/DTBSUNXI=sun7i-a20-lamobo-r1.dtb/g' /mnt/USB/uEnv.txt

Or manually change the line to DTBSUNXI=sun7i-a20-lamobo-r1.dtb

Done! We can boot again :smiley:

Initial & network setup
Eth0 is the switchboard, it’s divided into four different sub-interfaces. Note: you should not use the root-device eth0. The fifth, stand-alone, port is used as trunk (all VLANs tagged).

You can connect to the JTAG connector (baudrate=115200) for easy configuration. Once you’re connected to the serial port, you can run setup from the command-line, the wizard starts automagically.

Obviously you picked very secure passwords for both root and admin!

Network setup; I use three networks: GREEN + RED + BLUE
RED = uplink
GREEN = LAN
BLUE = Wireless

Drivers and card assignments
RED = eth0.11
GREEN = eth0.12
BLUE = RTL8192CU (Realtek)

Address settings
RED = DHCP (lease from modem)
GREEN = 10.0.100.1/255.255.255.0
BLUE = 10.0.200.1/255.255.255.0

Finally enable DHCP for GREEN, after which the BPI will reboot (generating the RSA server key for HTTPS may take a while, you can grab a coffee).

Connecting to the management interface; i.e. the WUI
WUI stands for Web User Interface, we’ll just keep using WUI. Ok, so just connect your laptop/pc to the port which you used for GREEN (in my case, port 2 → note the port numbers from the wiki page). Then just connect to https://{gateway-ip}:444 (or in my case https://10.0.100.1:444). Don’t worry, it’s just lab info I’m sharing :wink:

So now that I’m in, I need to install some of the basics. Let’s start with updating the package lists (IPFire/Pakfire > Refresh list) and install some packages:

  • iperf3
  • hostapd
  • nano (I cannot work with vim)

Hardening the network
Also let’s get some of the basics out of the way. By default SSH is turned off, and if you need it, just turn it on for 15 minutes (it gives you that option). Also, you shouldn’t expose the management interface to the public internet, a management network with trusted hosts is preferred, but at least LAN-only.

Disclaimer: I’ll try to create separate posts (not threads) describing the below in more detail.

  1. Logging, let’s start with that. It’s preferred to use an external logging server, it provides you with redundancy and processing capacity.
  2. Logging again, you should be checking the log files regularly, but I understand you don’t want to be looking at logs all day. So your best bet is to use some kind of centralized logging facility (I use the ELK stack) and build meaningful dashboards and alerts.
  3. Configure the basics:
    a. URL Filtering → filter everything you DON’T want (better would be to whitelist what you DO want, and block the rest, this is more of a Zero Trust play)
    b. Apply geo-blocking (if you’re not hosting anything of course); block all countries that have no business in/at your network
    c. Use a transparent proxy (SquidClamAV) to scan incoming files for virusses. Yes signature-based detection typically lags behind and ClamAV isn’t the best, but it doesn’t mean you shouldn’t use it at all.
    Install the necessary add-ons:
    + clamav
    + squidclamav
    Because it uses the proxy functionality, files are scanned inline and impact UX (user experience), then again, I’m more than happy to sacrifice some UX for better security.
    d. Segment your network, yes, divide it into zones and apply inter-zone policy-rules. E.g. block guest-network clients from accessing the corporate network, or block BLUE (wireless) from accessing the WUI.
    e. Leverage the built-in IPS, as the hardening guide mentions, it takes some effort to setup and maintain, but it’s worth it. Too many administrators think IPS is just fire-and-forget… well, it’s not. Signatures change, your network changes and the threat landscape is in constant motion.
    Want to know how Suricata score against Snort2? See this paper: https://arxiv.org/ftp/arxiv/papers/1710/1710.04843.pdf
    f. Employ DNS security, this has actually become much harder nowadays, as we’re facing DoT, DoH and various other forms. On the one-hand you want to enforce integrity (DNSSEC) and on the other hand you want privacy and malware protection (e.g. use OpenDNS or CloudFlare as upstream servers).
    g. Decrypt everything that is not exempt, traffic today is more encrypted than it is not. Which means, to effectively prevent malware, you need to decrypt for detection. This does not go without cost, every re-encryption will cost you dearly on your CPU cycles. It’s the classic trade-off between security and performance… choose wisely.

The official IPFire guide also mentions installing HIDS software, but I have not read into this yet. It’s a good advice though, so you should definitely look into this. Myself, I just installed the Zabbix-agent and play around with that.

An NGFW (the defacto standard for enterprises according to research) comprises of the following:

  • stateful inspection (basically what Firewall-1 started out with)
  • VPN (both site-to-site and remote users)
  • integrated intrusion prevention
  • application control & awareness
  • antivirus
  • anti-spam
  • URL filtering
  • forward and reverse proxy with full decryption (and possible decryption brokerage for other elements in the security chain)
  • DNS security
  • leverage threat intelligence
  • centralized management

A few of the newer capabilities include:

  • sandboxing
  • inline machine learning
  • automation options
  • integration into CASB, SWG and other solutions

IPFire can fulfill quite some of these capabilities, without costing you an arm and a leg. It just takes some effort and maintenance (COTS products will also come with a learning curve and maintenance). I’m not saying either it better or worse, this depends on YOUR (business) goals.

Performance testing
One of the reasons I’m doing this write-up is to provide clarity into the performance of the BPI, and possibly my APU2D4 (if/when I find the time). I’d like to standardize the tests as much as possible, so it’ll be easy to reproduce and give insights into what you need for your use-case (either your home or a small business).

What stats are meaningful in order to determine throughput? I’d say plain old throughput speed (hence iperf) and encryption speed.

  1. iPerf3: there are three scenario’s to test
  • FW-to-internet
  • client-to-FW
  • client-to-internet

iperf3 -c {iperf-server}

  1. Encryption speed testing, this is basically using the openssl library and measuring speed. There are two scenario’s for this test:
  • without AES-NI
  • with AES-NI

AES-NI is basically hardware acceleration, which should improve speeds when available for the library. Just add -evp to use the EVP interface, which leverages the hardware acceleration.

Test without EVP
openssl speed aes-256-gcm

Test with EVP
openssl speed -evp aes-256-gcm

Why GCM? Because it’s considered more secure than CBC, put simply, it’s CBC + authentication. This also makes it more CPU-hungry, so pick your ciphers carefully, it’s again a matter of security vs performance (and security should win). If performance drops below acceptable, you should definitely upgrade your hardware instead of using weak(er) ciphers.

At my sight the Bananapi/Lamobo R1 is crap. It cannot use on German xDSL connections because You need VLAN7 on the DSL side which cannout save configured.

Also the Kernel developers changed the Internal DSI switch configuration again so the old config is not valid with kernel 5.10. (After update to core159 you need to reconfigure the network again.)

1 Like

Hi @arne_f,

Thanks for you candor, I agree it’s not the best appliance, but it has served its purpose (behind a modem though. It now serves as a lab-device on which I test updates/configs/policies :smiley: I do think, that for simple home use, it can be a good device to learn IPFire on.

Maybe I should close this thread and continue the config (which is more generic of nature) in another thread.

Good hint towards the upcoming switch config change, it took me some time to comprehend this when I was more “nooby” and didn’t understand networking.

It was not my intention to close the thread. I would only warn for problems with the next core.
After install core159 you have to run setup and remove all assigned ports and reassign it.
Now you can also add more than one port to green or blue. (assign one in the setup and later add other in webgui via zoneconfig.)

The tagged mode on on the single port for add more ports via an external vlan switch is not supported anymore.

1 Like

The problem with SBC based on Allwinner a20 SoC appears to be more fundamental than an issue with the router component.

I had IPFire working for several years on the basic Bananapi. It’s no longer usable with core 159, because the module for USB host is not loaded. Consequently a USB-Ethernet dongle is not found and IPFire is unusable with only one wired Ethernet.

This host controller is within the SoC. I can get Archlinuxarm (kernel 5.11.n) working the USB devices, but can’t identify the module being used for host. Archlinuxarm no longer supports “lsusb”. I’m not a regular user of Arch and don’t know my way around it.

USB devices are now found, when installing nightly development build 55cb5e93 of 2021-09-06 core 160. Critically, the USB-ethernet dongle is functioning - dm9601 module, in my case.

Implication for users of bananapi (and Cubietruck) is to stay with core 158, for the time being and skip core 159. It might be possible to upgrade to core 160, but only if using onboard ethernet as RED0 and serial interface to initiate the upgrade. I don’t have a serial cable attached to my bananapi and can’t verify.

I suggest to exchange the dm9601 because this is a USB 1.1 chipset which is really slow. (below 5mBit)

Thanks for pointing out that, which I had not noticed. I do have dongles that use r8169 and report USB 2.10, when connected to USB 2 bus.