Automated management system for Linksys E8450 (UBI) routers running OpenWrt 24.10.x.
Linksys E8450 (UBI) - MediaTek MT7622 based WiFi 6 router
- 512MB RAM, 128MB NAND flash
- 2.4GHz 802.11ax 2x2, 5GHz 802.11ax 2x2
- 4x Gigabit LAN, 1x Gigabit WAN
- Running OpenWrt UBI variant (special bootloader required)
- primary-ap (192.168.1.1): Primary gateway, DHCP server, firewall
- secondary-ap (192.168.1.2): Wireless extender via WDS backhaul
Target: OpenWrt 24.10.x stable
./scripts/check_updates.sh./scripts/backup_all.sh./scripts/update_packages.sh secondary-ap # Test first
./scripts/update_packages.sh primary-ap # Then production./scripts/deploy_tailscale.sh --list # Show available routers
./scripts/deploy_tailscale.sh <router> # Deploy to router
# Then SSH and run: tailscale up --advertise-exit-node --advertise-routes=<lan_subnet>See tailscale-setup.md for complete setup guide.
.
├── README.md
├── changelog.txt
├── scripts/
│ ├── check_updates.sh # Check for available updates
│ ├── backup_all.sh # Backup both routers
│ ├── update_packages.sh # Apply package updates
│ ├── deploy_tailscale.sh # Deploy Tailscale with firewall config
│ └── remove_tailscale.sh # Remove Tailscale cleanly
├── private/ # Private data (symlinked)
│ ├── setup-private-data.sh # Setup script for symlinks
│ ├── device-data/
│ │ ├── primary-ap/
│ │ │ ├── config/ # UCI config exports
│ │ │ ├── backups/ # Full system backups
│ │ │ └── device_info.txt # Device information
│ │ └── secondary-ap/
│ │ ├── config/
│ │ ├── backups/
│ │ └── device_info.txt
│ └── logs/
│ └── update_[timestamp].log
└── notes/
├── OpenWrt_Forum_Linksys_E8450-distilled.md # Community knowledge base
├── UPGRADE_PROCESS.md # Detailed update procedures
├── flash-layout-v2-upgrade.md # Flash layout v1.0→v2.0 migration
├── tailscale-setup.md # Tailscale exit node and subnet routing
└── private-data-info.md # Private data structure documentation
Based on 4+ years of community experience from the OpenWrt forums (see distilled notes):
- Reboot to Recovery Loop: Device boots into recovery mode after crash due to pstore panic records. Fix with
rm -f /sys/fs/pstore/*then reboot, or cold boot (30s power off) - I/O Errors on mtdblock2: Harmless ECC errors from factory partition - can be safely ignored
- Maximum Stability Tips: Enable IRQBalance, avoid 802.11r with Apple devices, disable hardware flow offloading
- Memory Management: 512MB RAM requires careful management - use zram-swap, disable unused services
- WiFi 6 Tuning: Use 80MHz channels for stability, enable MU-MIMO, configure OFDMA based on client density
- SQM/QoS: E8450 handles ~600Mbps with cake, ~800Mbps with fq_codel
- VLANs & Segmentation: Guest networks, IoT isolation, multiple SSIDs with different security zones
- DNS & Ad-blocking: simple-adblock (lightweight) or AdGuard Home (feature-rich, 100-150MB RAM)
- IPv6 & CGNAT: Full IPv6 support with prefix delegation, DS-Lite, 464XLAT compatibility
- WDS: Most reliable for 2-3 nodes, simple setup
- 802.11s: Better for 4+ nodes, requires tuning
- Channel Selection: Use non-DFS channels (36-48, 149-165), 80MHz width recommended
- Tailscale: Exit node + subnet routing for secure remote access (~50-70MB RAM). See setup guide
- Network-wide VPN (WireGuard ~200Mbps, OpenVPN ~50Mbps)
- Home automation hub (MQTT, Zigbee2MQTT)
- Network monitoring (Netdata, vnstat, nlbwmon)
- USB LTE/5G failover with mwan3
Add to ~/.ssh/config:
Host primary-ap
HostName 192.168.1.1
User root
StrictHostKeyChecking accept-new
Host secondary-ap
HostName 192.168.1.2
User root
StrictHostKeyChecking accept-new
WARNING: The E8450 UBI variant requires special handling:
- Never use non-UBI firmware on UBI devices
- Always use sysupgrade images, not factory images
- The device uses U-Boot 2024.10 with UBI support
- Power loss during upgrade can brick the device - use UPS if possible
Flash Layout Migration: Devices on layout v1.0 cannot sysupgrade to 24.10.5+. You must first flash the UBI installer v1.1.4+ to migrate to layout v2.0. See flash-layout-v2-upgrade.md for the full procedure.
DEVICE="primary-ap" # or "secondary-ap"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
# Backup via LuCI method (recommended)
ssh $DEVICE "sysupgrade -b /tmp/backup.tar.gz"
scp $DEVICE:/tmp/backup.tar.gz ./private/device-data/$DEVICE/backups/${TIMESTAMP}_backup.tar.gz
# Also backup individual config files
for config in network wireless firewall dhcp system; do
ssh $DEVICE "uci export $config" > ./private/device-data/$DEVICE/config/$config
done# Upload and restore backup
scp ./private/device-data/$DEVICE/backups/backup.tar.gz $DEVICE:/tmp/
ssh $DEVICE "sysupgrade -r /tmp/backup.tar.gz && reboot"- owut - CLI tool for firmware updates
- luci-app-attendedsysupgrade - Web UI for firmware updates (System > Attended Sysupgrade)
- Wait 2-4 weeks after release for community feedback
- Check forum for E8450-specific issues
- Test on secondary-ap first
- Keep previous firmware file for rollback
See UPGRADE_PROCESS.md for detailed procedures:
- Package updates
- Configuration backups
- Log review
- Performance monitoring
- 24.10.5: Current stable, requires flash layout v2.0
- 23.05.5: Most stable overall, excellent for production
- Avoid .0 releases and snapshots for production use
DEVICE="primary-ap"
ssh $DEVICE << 'EOF'
echo "=== System Info ==="
uptime
free -m
df -h
echo "=== Network Status ==="
ip -br addr
ip -br link
echo "=== WiFi Status ==="
ubus call network.wireless status
echo "=== Recent Errors ==="
logread | tail -20 | grep -i error
EOF# Check CPU usage during transfers
ssh $DEVICE "top -d 1 | grep -E 'si|sirq'"
# Monitor WiFi quality
ssh $DEVICE "iw dev wlan1 station dump | grep -E 'signal|tx bitrate'"
# Check memory usage
ssh $DEVICE "free -m && ps | awk '{print $5 \" \" $1 \" \" $9}' | sort -rn | head -10"# Show current version
ubus call system board
# Show wireless status
ubus call network.wireless status
# Restart services
/etc/init.d/network restart
/etc/init.d/firewall restart
wifi reload
# Package management
opkg update
opkg list-upgradable
opkg upgrade <package>
# Configuration
uci show
uci set network.lan.ipaddr='192.168.1.1'
uci commit network
# Logs
logread -f # Follow log
dmesg # Kernel messages- All sensitive data (backups, configs, logs) is excluded via
.gitignore - Use strong passwords for WiFi and admin access
- Keep firmware and packages updated
- Consider network segmentation for IoT devices
- Enable firewall logging for suspicious activity monitoring
Default OpenWrt firewall includes some rules that can be safely removed:
# Remove unused IPSec rules (if not using IPSec VPN)
uci show firewall | grep -n 'Allow-IPSec-ESP\|Allow-ISAKMP'
# Delete matching rule numbers, e.g.:
uci delete firewall.@rule[10] # ISAKMP
uci delete firewall.@rule[9] # IPSec-ESP
uci commit firewall && /etc/init.d/firewall reloadSSH security recommendations:
- Bind SSH to LAN interface only:
uci set dropbear.@dropbear[0].Interface='lan' - Disable password auth (use keys):
uci set dropbear.@dropbear[0].PasswordAuth='off'
The web UI (uhttpd) is protected from WAN access by:
- Firewall: WAN zone has
input=REJECTwith no port 80/443 rules - Application:
rfc1918_filter=1blocks non-private source IPs
- OpenWrt E8450 Device Page
- E8450 UBI Installer
- OpenWrt Forum E8450 Thread
- Sysupgrade Documentation
- Community Knowledge Base - Distilled from 4+ years of forum discussions
- Never interrupt power during firmware upgrade
- Always keep backups before making changes
- Test on secondary-ap device before upgrading primary-ap
- Document any custom configurations or scripts
- Monitor logs after upgrade for issues