Download

Downloads

You can download complete images here:

Releases

Beta version

There is no beta version at this moment.

SPIN Source code

Older versions

Device-specific notes and instructions

Raspberry Pi

To run the Valibox software on a raspberry pi, download the uncompressed image, and copy is to a clean SD card. On linux machines this can be done with the following command:

dd if=sidn_valibox_raspberry_sdcard_1.7-beta-201901311150.bin of=/dev/sdX bs=2M conv=fsync

(where sdX is the appropriate device name for your SD card)

The default setup uses the wired connection of the raspberry pi as the 'WAN' interface, and offers a wireless access point on its built-in wifi adapter.

For more, and more general, information on running OpenWRT on a Raspberry Pi, see here

The default password for both the wireless network and the root user is 'goodlife'; users are prompted to change this password before internet access is given.

VirtualBox

The virtualbox image uses an 'internal' and an 'external' network; depending on how you would like the Valibox to work for other machines (virtual or not), configuration may differ.

It expects 2 network interfaces that need to be set up in the VirtualBox management interface; the first one will be the 'WAN' interface, and the second one the 'LAN' interface.

The first interface will be the 'external' interface; set this to 'bridged adapter'.

The second interface will be the 'internal' interface (i.e. acting as a router for its connected devices). Depending on how you would like to use the VM, you'll need to set up the second interface differently, so client devices (or other virtual machines) can use it as the router. For more information, see for instance here

Note that if your 'internal' interface uses a different subnet than 192.168.8.0/24, you may need to edit some configuration files on the device (such as unbound.conf and mosquitto.conf).

We have not (yet?) thought of a good general way to use this version with IoT-devices. If you have ideas or wished for that, please let us know.

Installation guide for GL-Inet devices

Normal update

Standard installation:

  1. Connect a GL-inet to a computer or laptop
  2. Open a browser window and enter the URL http://192.168.8.1
  3. On the left-side menu, click 'Upload Firmware'
  4. Then click 'Upload Firmware' in the upper right
  5. Select the valibox image file

Important! Disable the 'keep settings' checkbox!

  1. When the image has been verified, the Valibox software will be installed. This can take a number of minutes.

Screenshot GL-Inet upload firmware

Boot override

Most devices have a second way of updating; this is worth a shot if the device does not start normally or you cannot access the administrator panels anymore.

This is the method for the GL-inet AR-150; for other versions or system, the process may differ.

More information can be found at http://www.gl-inet.com/how-to-enter-the-uboot-web-ui/

  1. Make sure the GL-inet is powered off
  2. Connect a UTP cable from your computer to the WAN port of the GL-inet.
  3. While holding the reset button, power on the device. Keep holding the reset button for 5 seconds.
  4. Configure your computer to have the IP address 192.168.1.2
  5. Open a browser and go to http://192.168.1.1
  6. Upload the image file to install the Valibox software

Screenshot GL-Inet boot firmware update

Release Changelog

1.8
- Added time.nl to the list of NTP servers
- Updated OpenWRT to 18.06.4
- Updated SPIN to 0.10:
  * The MQTT Traffic channel protocol has changed; node information is now sent in a separate subchannel,
  and flow information uses node id's instead of the full node data
  * Added RPC functionality: some information and functionality can now directly be accessed. If UBUS is
  available, SPIN uses that. Otherwise, it will listen for JSON-RPC commands on /var/run/spin_rpc.sock.
  An overview of the RPC methods can be requested by the RPC method 'list_rpc_methods'
  * The web API now provides and endpoint for all RPC methods as JSON-RPC
  * The SPIN/commands channel is no longer used for interactive commands, and all functionality in spind
  handling commands here has been replaced by the RPC mechanism
  * The bubble app now uses the web API rpc endpoint for commands and direct information retrieval (except
  traffic data). This improves performance and reliability, but it does mean that both spind and
  spin_webui must be running.
  * 'Most recent flows' information can now be retrieved for devices on the network
  * SPIN (and the bubble app) now provide functionality to block traffic between two specific nodes (in
  addition to the existing 'all traffic from and to one node').
  * Added an 'extsrc' source, where pcap data can be sent to SPIN directly
  * The 'mqtt_host' on the bubble app now defaults to the host of the app itself
  * Bugfixes and refactoring: see the git repository for details

1.7
- Added VirtualBox (innotek-gmbh-virtualbox) to the list of supported builds (experimental)
- Added Raspberry Pi 3 (raspberry,3-model-b) to the list of supported builds (experimental)
- Removed GL-Inet 6416 from the list of supported builds
- Updated OpenWRT to v18.06.2
- Updated SPIN to 0.9:
  * Removed kernel module and replaced with conntrack/nflog/nfqueue implementation
  * Added internal module registration and callback architecture
  * Made (mqtt) commands more consistent (removed 'filter' and 'except')
  * Internal node cache is now regularly cleaned
  * Added SPIN configuration support (direct and with UCI)
  * Added operational statistics (published in mqtt SPIN/stat channel)
  * Added initial version of responsive SPA front-end (http://valibox./spin)
  * Added very early profile concept
  * Added PoC-tool 'pcap-reader'
  * Added PoC-tool 'peak-detction'
  * Fixed a memory leak
  * Small updates and bugfixes in visualiser

1.6
IMPORTANT: Version 1.6 contains configuration changes that require 'Remember current configuration settings' to be DISABLED for this update.
- Change base system from LEDE to OpenWRT (18.06.1)
- Check for Wifi password length during initial setup
- Better check for referer in Autonta
- Separation of nginx configuration snippets
- Updated SPIN prototype to 0.7:
  * Web UI now uses lua-minittp
  * Added 'Download PCAP traffic' option to the bubble app, you can directly run tcpdump from the web interface now.
  * Added 'protocol' field to mqtt traffic format
  * Added a web API for configuration and control, see https://github.com/SIDN/spin/blob/master/doc/web_api.md
  * From the WEB API, there is a very rudimentary option to control firewall rules through profiles (as a stepping stone to MUD which is planned for the next release)

1.5
- Updated LEDE to 17.01.4 (commit afca23558a2fbfb2cb044ec69bfb9a7447121927)
- Valibox update screen now also shows changelog if there are no updates
- nginx no longer logs to the file system (issue #4)
- Updated SPIN prototype to 0.6:
  * Added DNS query logging / visualisation
  * Big efficiency update in kmod/spind communication, which should result in much less 'missed' packets
  * The location of the MQTT server is now flexible in all tools and daemons
  * Fixed color of bubbles and arrows (#27, #29, #31)
  * Fixed block and interface buttons (#28, #35)
  * Fixed valibox interface when using the IP address in the browser (#32)
  * Added command-line option to set/unset features of spin_enforcer
  * Updated Vis library
  * Added early MUD prototype
  * Added early prototype of Provider API (in spin_enforcer and incident_report_listener)
  * Improved node merging

1.4
- Changed base system from OpenWRT to LEDE due to support for newer GL-Inet devices
- Updated base system (including patches for krack)
- Assorted cleanups in data logging
- Fixed issue with updater not recognizing X.509 certificate
- Fixed issue where wifi password was not always updated when set by user
- Updated SPIN prototype to 0.5:
  * Renamed main spin daemon spin_mqtt to spind
  * Added 'block' and 'allow' functionality to SPIN graph front-end
  * Added experimental 'auto block' tool spin_enforcer
  * Added verbosity option to capture module
  * Added 'local' mode option to capture module (use IN/OUT chains only, not FORWARD)
  * Improvements in capture module
  * Fixed issue where ignoring a node did not always remove all relevant other nodes from view
  * Fixed issue where user-set name was not shown until restart
  * Fixed issue where ARP table was not always read completely

1.3.0
- Updated to latest OpenWRT trunk and packages
- Updated SPIN prototype to 0.4
- Replaced direct websockets with central MQTT server
- Collection, filtering and blocking is now done through a kernel module for efficiency and to solve compatibility issues with other iptables tools
- added visualisation of blocked traffic
- Fixed issue where user-set names were not remembered
- Fixed issue with spaces and other chars in password screen

1.2.0
- Added prototype version of the SPIN network traffic visualiser
- Ported AutoNTA to lua
- Massively increased speed of main pages
- Removed python dependencies
- Fixed a number of issues with the default configuration of the gl-mt300a image

1.1.3
- Updated Unbound to 1.6.0
- Improved initial password screen
- Remove listen on ULA in unbound

1.1.2
- Update to latest OpenWRT version
- Change defaults to match GL-inet values

1.1.1
- Enable NTA management by default

1.1.0
- Added initial wifi name and password settings page
- Added double-cookie protection of the 'Set NTA' and 'Update install' pages
- 'Ask NTA' page now shows the actual DNSSEC error
- The NTA management can now be turned off, so that you only see the DNSSEC error but cannot override it
- Update system now allows switching between release and beta
- Added 'keep settings' option to update system
- Various other improvements in update system
- Made all texts multilingual (currently the options are en_US and nl_NL)
- Added logging options (to syslog of OpenWRT)
- Added Valibox configuration tab in LuCI (to set language, logging, and disable NTA)

1.0.3
- Stop caching of dynamic internal pages
- HTML cleanup

1.0.2
- Use fixed local addresses instead of derived ones

1.0.1
- Fixed issue with setting the wrong internal IPv6 address
- Fixed issue where unbound would sometimes not start
- Improved layout of NTA pages

1.0.0
- Initial release

1.0.0
- Initial release