Firmware Setups

In diesem Beitrag erfährst du, wie du Temperatursensoren in deiner Klipper configuration einfügen kannst.

Das Ramps 1.4 Mainboard wird in  Verbindung mit einem Arduino Mega verwendet und war das erste richtig gute Mainboard für den 3D Druck. Es wurde fast jeder 3D Drucker damals mit dem Board ausgestattet und bis heute ist es noch ein gutes Tool um zu sehen wie genau die Elektronik von einem 3D Drucker aufgebaut ist.

HTTPS (ssl)​

This will add encryption to the connection, making it a little harder to intercept and read the credentials sent in clear text by the "basic auth" method.

To keep it simple I did everything below as root.
Code:
sudo su

Create a self-signed ssl certificate
A self signed certificate is good enough for this purpose. In our case the only practical difference from a "proper" certificate made by a well known "Certificate Authority" (such as letsencrypt, verisign, thawte) is that the browser will show an annoying warning that our shiny new certificate can't be trusted.
But we know it can be trusted since we just made it ourselves.

You'll need openssl for this. You probably have it already but if you don't then:
Code:
apt install openssl

Choose a nice location and name for the cert and key file.
I selected /etc/nginx/0-snakeoil.* but it can be anything.

Now make a self signed certificate, valid for at least 10 years so we don't have to replace it too often
There will be a bunch of questions such as Country Name, Email and whatnot.
Just accept whatever the defaults are and press [enter], it doesn't matter what the replies are.
Code:
openssl req -x509 -nodes -days 36500 -newkey rsa:2048  -keyout /etc/nginx/0-snakeoil.key  -out /etc/nginx/0-snakeoil.crt

Now it's time to edit file /etc/nginx/sites-available/mainsail again. See section PASSWORD above. (in part 1)
Perhaps also make a new backup of the file before you start editing, so you can roll back if things don't go as planned.

Under the "server" section, comment out the "listen 80;" line.

Add these three lines
Code:
    listen 443 ssl default_server;
    ssl_certificate      /etc/nginx/0-snakeoil.crt;
    ssl_certificate_key  /etc/nginx/0-snakeoil.key;

I saw somewhere that it's a good idea to comment out all "gzip" directives under "server" when ssl is enabled.
Not sure why. I assume it's to ease the load on the cpu.
In any case, I commented out all "gzip" directives for good measure.

Example config from my machine, including the "auth_basic" config from section PASSWORD above (in part 1)
Code:
# /etc/nginx/sites-available/mainsail
server {
    auth_basic           "go away";
    auth_basic_user_file /etc/nginx/0-passwords.txt;
    #listen 80;
    listen 443 ssl default_server;
    ssl_certificate      /etc/nginx/0-snakeoil.crt;
    ssl_certificate_key  /etc/nginx/0-snakeoil.key;

    access_log /var/log/nginx/mainsail-access.log;
    error_log /var/log/nginx/mainsail-error.log;

    # disable this section on smaller hardware like a pi zero
    #gzip on;
    #gzip_vary on;
    #gzip_proxied any;
    #gzip_proxied expired no-cache no-store private auth;
    #gzip_comp_level 4;
    #gzip_buffers 16 8k;
    #gzip_http_version 1.1;
    #gzip_types text/plain text/css text/xml text/javascript application/javascript application/x-javascript application/json application/xml;

Restart nginx, either "service nginx restart" or "systemctl restart nginx"

You should now be able to access your printer using https://

I had to clear my browser cache to get it going, maybe you have to do the same.
Until I cleared the cache all I got was error messages about moonraker being unavailable, maybe due to a cached script or some such.

Since we commented out "listen 80;" you won't be able to access your printer using http anymore. Only https.

FIREWALL​

This will add a couple of firewall rules and stop all (more or less) incoming connection attempts but ssh and https.

I used iptables, there are probably newer and better ways to do this but iptables is what I'm familiar with, so iptables it is.

To keep it simple I did everything below as root.
Code:
sudo su

You'll want iptables-persistent for this. It will enable saved firewall rules to become active at boot time.
Code:
apt install iptables-persistent

You will be asked if you want to save current rules, answer yes to both questions (ipv4 and ipv6) even if you don't have any rules to save yet.

create a script with this content, maybe call it firewall_clear.sh:
Code:
#!/bin/sh
iptables -P INPUT   ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT  ACCEPT
iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT      ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

make it executable
Code:
chmod 755 firewall_clear.sh

It can be used to remove all firewall rules in case there is a problem later on.

Now create a script "firewall_set.sh" or similar, with the firewall rules we will attempt to use.
None of the lines with "icmp" are really necessary, you can omit them if you like.
They are nice to have though, in case someone tries to get your host to honor malicious redirects or similar.
Code:
#!/bin/sh
PATH=/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin
#------------------------------------------------------------------------------
#***** Remove all rules, set input and forward policy to DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP
iptables -P OUTPUT  ACCEPT
iptables -t nat -P PREROUTING  ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -P OUTPUT      ACCEPT
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

#------------------------------------------------------------------------------
#***** Declare additional chain names
iptables -N icmp_packets

#***** allow all to 127.0.0.1
iptables -I INPUT 1 -i lo -j ACCEPT

#***** drop invalid packets
iptables -A FORWARD -m state --state INVALID -j DROP

#***** allow all established and related traffic
iptables -A INPUT   -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

#***** allow ssh
iptables -A INPUT  -p tcp  --dport 22    -j ACCEPT

#***** allow https (mainsail)
iptables -A INPUT  -p tcp  --dport 443 -j ACCEPT

#***** catch icmp packets and send them to chain icmp_packets
iptables -A INPUT  -p icmp -j icmp_packets

#***** Drop packets that made it all the way down here.
#***** There shouldn't be any, but you never know...
iptables -A INPUT   -j DROP
iptables -A FORWARD -j DROP

#------------------------------------------------------------------------------
#***** chain icmp, allow some icmp packets
#***** 0=Echo Reply  3=Destination Unreachable  5=Redirect  8=Echo  11=Time Exceeded
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 0  -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 3  -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 8  -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0 --icmp-type 11 -j ACCEPT
iptables -A icmp_packets -p icmp -s 0/0                -j DROP
#------------------------------------------------------------------------------
echo "*** rc.firewall was executed on $(uname -n) ***"

make it executable
Code:
chmod 755 firewall_set.sh

Now run it
Code:
./firewall_set.sh

Before anything else try to open a new ssh session to your printer, without closing your current ssh session.
If you can't then run the firewall clear script
Code:
./firewall_clear.sh

If you are really unlucky you may get locked out entirely and can no longer access the printer at all.
Not to worry!
We have not yet saved the firewall rules, so all you have to do is reboot.
Or power cycle, since you probably can't even reboot anymore...

Then have a closer look at "firewall_set.sh" and see if you can find any errors like a missing space, a misplaced " or something.
This line is of particular interest, it opens up for ssh connctions
Code:
iptables -A INPUT  -p tcp  --dport 22    -j ACCEPT

Repeat until you are able to apply the rules and then open a new ssh connection.

If it did work and you could open a new ssh connection then you can go ahead and save the firewall rules so they will be run at boot time
Code:
iptables-save > /etc/iptables/rules.v4

Maybe verify that the rules did get saved with
Code:
cat /etc/iptables/rules.v4

Then reboot and verify that the rules have been applied
Code:
iptables -L

That should be it.
The printer is now firewalled, password protected and https enabled.
At least mine is.
I hope I didn't forget anything...

Werden die gespeicherten Daten im Saved Config bereich nicht abgerufen, so kann das daran liegen, dass die Formatierung geändert wurde, oder man irgendwo anderst im Code  #*# stehen hat.

Nur wenn die printer.cfg Datei ohne Fehler ist wird diese auch richtig funktionieren.

Mir ist es passiert, dass ich Automatisch gespeicherte Einstellungen "Hardcoden" wollte, sprich von dem unteren Bereich direkt in die Configuration einschreiben, wo diese hingehört und habe einmal vergessen #*# zu entfernen und ein anderes Mal ist mir passiert, dass ich vergessen habe : in = umzuändern, da in der normalen Konfiguration = verwendet wird und in der Automatisch generierten ein :.

Standard Settings für das Ramps 1.4 mit dem RepRap Fullgraphic Smart Display

Diese Einstellungen sind für die Verwendung in meinem Eigenbau S1 Skalierbarer kartesische FDM 3D Drucker zum Nachbauen. 

Code der printer.cfg

# This file contains common pin mappings for RAMPS (v1.3 and later)
# boards. RAMPS boards typically use a firmware compiled for the AVR
# atmega2560 (though the atmega1280 is also possible).

[include mainsail.cfg]

# See docs/Config_Reference.md for a description of parameters.

[stepper_x]
step_pin: PF0
dir_pin: PF1
enable_pin: !PD7
microsteps: 16
rotation_distance: 40
endstop_pin: ^PE5
#endstop_pin: ^PE4
position_endstop: 0
position_max: 200
homing_speed: 50

[stepper_y]
step_pin: PF6
dir_pin: !PF7
enable_pin: !PF2
microsteps: 16
rotation_distance: 40
endstop_pin: ^PJ1
#endstop_pin: ^PJ0
position_endstop: 0
position_max: 200
homing_speed: 50

[stepper_z]
step_pin: PL3
dir_pin: PL1
enable_pin: !PK0
microsteps: 16
rotation_distance: 8
endstop_pin: ^PD3
#endstop_pin: ^PD2
position_endstop: 0.5
position_max: 200

[extruder]
step_pin: PA4
dir_pin: PA6
enable_pin: !PA2
microsteps: 16
rotation_distance: 33.500
nozzle_diameter: 0.400
filament_diameter: 1.750
heater_pin: PB4
sensor_type: EPCOS 100K B57560G104F
sensor_pin: PK5
control: pid
pid_Kp: 22.2
pid_Ki: 1.08
pid_Kd: 114
min_temp: 0
max_temp: 250

#[extruder1]
#step_pin: PC1
#dir_pin: PC3
#enable_pin: !PC7
#heater_pin: PH6
#sensor_pin: PK7
#...

[heater_bed]
heater_pin: PH5
sensor_type: EPCOS 100K B57560G104F
sensor_pin: PK6
control: watermark
min_temp: 0
max_temp: 130

[fan]
pin: PH6

[mcu]
#serial: /dev/ttyACM0
serial: /dev/serial/by-id/usb-Arduino__www.arduino.cc__0042_75834353930351B06162-if00


[printer]
kinematics: cartesian
max_velocity: 300
max_accel: 3000
max_z_velocity: 5
max_z_accel: 100

# Common EXP1 / EXP2 (display) pins
[board_pins]
aliases:
    # Common EXP1 header found on many "all-in-one" ramps clones
    EXP1_1=PC0, EXP1_3=PH0, EXP1_5=PA1, EXP1_7=PA5, EXP1_9=<GND>,
    EXP1_2=PC2, EXP1_4=PH1, EXP1_6=PA3, EXP1_8=PA7, EXP1_10=<5V>,
    # EXP2 header
    EXP2_1=PB3, EXP2_3=PC6, EXP2_5=PC4, EXP2_7=PL0, EXP2_9=<GND>,
    EXP2_2=PB1, EXP2_4=PB0, EXP2_6=PB2, EXP2_8=PG0, EXP2_10=<RST>
    # Pins EXP2_1, EXP2_6, EXP2_2 are also MISO, MOSI, SCK of bus "spi"
    # Note, some boards wire: EXP2_8=<RST>, EXP2_10=PG0




######################################################################
# "RepRapDiscount 128x64 Full Graphic Smart Controller" type displays
######################################################################

[display]
lcd_type: st7920
cs_pin: EXP1_4
sclk_pin: EXP1_5
sid_pin: EXP1_3
encoder_pins: ^EXP2_3, ^EXP2_5
click_pin: ^!EXP1_2
#kill_pin: ^!EXP2_8

[output_pin beeper]
pin: EXP1_1