Diamond DA-40 flight from Lelystad airport

We booked a holiday to south west USA, but due to the corona crisis we had to cancel it, so instead let me write about my hobby, flying airplanes.

Today I made another flight in a Diamond DA-40, the PH-TIN (papa hotel tango india november). I flew by myself today. I fly from Lelystad airport (icao code is EHLE). I have a PPL (private pilot license) with SEP (single engine piston), SE-IFR (single engine instrument rating), RT (radio telephony), en LPE6 (language proficiency endorsement 6). Currently you are only allowed to fly IFR departures and arrivals after 1800LT. Hence I filled a flight plan with a 1800 off block time.
The plan is to fly a part of the GRONY1M SID (standard instrument departure) till ERMUR then go to EKNON followed by a RNP23 approach.

This is the airplane:

I already put the aircraft pointing in the right direction that I can easily taxi out. In the background you can see Lelystad tower.

After doing the “24h inspection” I continued with the pre-flight checklist till the point where I had to start the engine. At Lelystad you first have to call Lelystad delivery to request a start-up.
This was granded because it is not so busy at this time of the day. I did get a bravo departure assigned, which is a VFR departure. So I asked “confirm bravo departure, I filed an IFR flight plan”, upon which the reply came “standby for ifr clearance”. After that I continued with starting the engine. Made a quick photograph of the inside of the airplane:

You can see that the “display backup” button was pushed in, because al information is available on both screens. The left display has a tendency to restart when starting the engine. The battery voltage dips too low which causes the system to restart. If you zoom in on the photograph (first click on it) you can see that the airport is below sea level.

I continued with the checklist, after a few minutes I received my IFR clearance with the requested GRONY1M departure. I programmed the route into the flight management system, then switch to tower frequency and requested “Lelystad tower PHTIN request taxi”. I got the assignment to taxi to S1 which is an intersection all the way at the front of runway 23.

So i am going to fly this departure:

First south west, then south east, then north east then north and finally north west till ERMUR. As you can see there are some height resrtictions on the route. Normally from DOTIX you fly at FL60, but at FL60 you cannot file a direct-to, so I filled a flightplan with FL50.

After my run up at S1 I called tower again to let them know I was ready “PHTIN S1 ready for departure”, I got a “line up and wait runway 23” as reply. After a short wait on the runway I got a “cleared take-off”. I started flying the departure with a little help of the auto pilot. After a short while I was asked to switch to lelystad arrival on the radio.

After ERMUR I went in the direction of EKNON, to start the RNP 23 approach. I got a “cleared approach” which means that I am allowed to followed the route including the glidepath:

After passing EKNON I made a few photographs (autopilot is pretty useful!)


The approach chart above shows that at KUVOS you need to be at 3000ft. Then at LE124 the (GPS) glidepath starts and you start the finale descent to the runway.

Just before LE124 I was asked to switch to tower frequency. After I did that I was cleared to land “PHTIN runway 23 cleared to land”. There was some crosswind at the runway (~10 kt) en was also a bit variable, but I made a smooth landing. After vacating the runway I immediately got a clearance to taxi back to the hangar. After parking the aircraft, I made a quick photograph again

Luckely there was still one of the flight instructors present so he could help me put the aircraft back into the hangar. It is very difficult to put a DA-40 by yourself in the hangar, I actually already agreed to leave the aircraft outside if needed.

The route I flew took 42 minuten. After I got home i looked up the flight on flightradar24.com and downloaded the GPS track:

The strange zig-zags are of course not real.

It was a nice flight again, good to be IFR in the air again. That DA-40 with G1000 is really a nice aircraft to fly. It has really good equipment on board. These days a lot of the (IFR)navigation is GPS gebaseerd, hence you need to have a good GPS receiver on board. The two large LCD screens help to get a lot of situational awareness

How to setup two linked routers with guest net using VLAN 802.1q tagging with OpenWrt

With not a lot of traveling happening (due to the corona crisis) I decided to update my Wifi setup with two new routers to enable guestnet on both. On request I am posting my setup.

I bought two Netgeat r7800 routers as you can install both OpenWrt and DD-wrt on them (just in case i need to switch later on). However, OpenWrt I think is superior in flexibility, updates, transparency, and the interface is also more logical. So I downloaded OpenWrt from https://openwrt.org/downloads.
The latest stable (19.07.3 at time of writing), does not support 802.11k and 802.11v (you can switch it on but apparently it does not actually send out and information). In the latest Snapshot it does work. Hence I recommend the snapshot (till they include this in the stable).

For a new install I would however first flash the stable version such that you can setup passwords and IP addresses first (the snapshot does not have Luci installed, you can add that manually though, instructions at the end).

After setting up the IPs for the router (I chose 192.168.15.1 and .2) it is time to setup the switch: add a VLAN and enable tagging of packets from the VLANs. I have the routers connected via LAN4. Setup on both routers should look like this:

I think you need to reboot them both after the change. Make sure you can still connect to them both.

Then comes the radio setup, radio0:

Select mode:


I left the channel on “auto” and 80MHz. Later on I actually did change it to 160MHz and seleced channels 52 and 100/ Note that for certain 5GHz channels a scanning for radar is obligated, hence this delays the radios from activating, but they should come up after a minute or so. Make sure they are bridged to the “lan”:

On the security page choose the “KRACK” countermeasures:

The guest net should look almost identical, I use WPA2-CCMP as security and be sure to bridge it to the “guest” bridge. Also i did not select the KRACK countermeasures for now as security is less important for the guest net.

You can isolate clients with the checkbox under advanced settings. though that does not appear to work (maybe it needs another firewall rule, not sure):

For radio 1 it should be identical and in the end look like this:

After that, let’s setup the interfaces:

Setup the lan interface like this:

The guest interface

Last thing to do is set up the firewall:


The first column shows what traffic is allowed to be forwarded to what other zones. The 2nd column “input” decides whether traffic with the router as destination is allowed or not. 3rd column is decides whetherthe router is allowed to output traffic to that zone. Forward decides whether interfaces within a zone are allowed to forward to each other.

I allow the clients on the main net to contact the clients on the guest net but not the other way around. The main reason is that I have a internet radio I want to control from another device. The forward for the “guest” can be set to reject, to prevent forwarding between different networks in the guest zone, but there is only 1 network in the zone, so i dont think it matters. If you want to block access to the router from the guestnet (which is a good idea) then set the set the input for the guestnet to “reject” (as shown) otherwise to “accept”. Reject also blocks DNS and DHCP so we need to allow that specifically:

Router 2 should look exactly the same as router 1, except that there are no WAN interfaces, and the gateway should point to router 1:

At this point everything should be functional except 802.11v, k and w. 802.11w can be set up with the GUI Luci but for the snapshot it is missing (or maybe its not showing because the driver for r7800 does not support it?!?).
Regardless, at this point install the snapshot. Then use “putty” to access the router:

opkg update
opkg install luci
opkg install luci-ssl
opkg install nano
opkg remove wpad-basic-wolfssl
opkg remove wpad-basic
opkg install wpad-wolfssl
opkg install wireguard
opkg install luci-app-wireguard
opkg install luci-app-statistics
opkg install collectd-mod-thermal
opkg install luci-app-uhttpd
opkg install openssl-util
opkg install openssh-sftp-server
opkg install qrencode
opkg install acme
opkg install luci-app-acme
opkg install umdns
opkg install dawn
opkg install luci-app-dawn

Nano is a text editor, wpad-wolfssl is for using WPA2 enterprise (802.1X), wireguard is for remote access to the network (alternative to openvpn), statistics is to monitor some items like themperatures. Dawn is for band steering, however that does not seem to work, so I removed that now. umdns is needed for dawn.
Now to setup some items for the wireless which are not avialable via LuCi:

nano /etc/config/wireless

to check the names of the interfaces “wifinet2” and “wifinet3” on both routers.
Then if the names match then values below execute (if not change the names):

uci set wireless.wifinet2.ieee80211k=’1′
uci set wireless.wifinet2.ieee80211v=’1′
uci set wireless.wifinet2.wnm_sleep_mode=’1′
uci set wireless.wifinet2.wnm_sleep_mode_no_keys=’0′
uci set wireless.wifinet2.bss_transition=’1′
uci set wireless.wifinet2.time_advertisement=’2′
uci set wireless.wifinet2.time_zone=’CET-1CEST,M3.5.0,M10.5.0/3′

uci set wireless.wifinet3.ieee80211k=’1′
uci set wireless.wifinet3.ieee80211v=’1′
uci set wireless.wifinet3.wnm_sleep_mode=’1′
uci set wireless.wifinet3.wnm_sleep_mode_no_keys=’0′
uci set wireless.wifinet3.bss_transition=’1′
uci set wireless.wifinet3.time_advertisement=’2′
uci set wireless.wifinet3.time_zone=’CET-1CEST,M3.5.0,M10.5.0/3′

uci set wireless.default_radio0.ieee80211k=’1′
uci set wireless.default_radio0.ieee80211v=’1′
uci set wireless.default_radio0.wnm_sleep_mode=’1′
uci set wireless.default_radio0.wnm_sleep_mode_no_keys=’0′
uci set wireless.default_radio0.bss_transition=’1′
uci set wireless.default_radio0.time_advertisement=’2′
uci set wireless.default_radio0.time_zone=’CET-1CEST,M3.5.0,M10.5.0/3′
uci set wireless.default_radio0.ieee80211w=’2′
uci set wireless.default_radio0.eap_reauth_period=’0′

uci set wireless.default_radio1.ieee80211k=’1′
uci set wireless.default_radio1.ieee80211v=’1′
uci set wireless.default_radio1.wnm_sleep_mode=’1′
uci set wireless.default_radio1.wnm_sleep_mode_no_keys=’1′
uci set wireless.default_radio1.bss_transition=’1′
uci set wireless.default_radio1.time_advertisement=’2′
uci set wireless.default_radio1.time_zone=’CET-1CEST,M3.5.0,M10.5.0/3′
uci set wireless.default_radio1.ieee80211w=’2′
uci set wireless.default_radio1.eap_reauth_period=’0′
uci commit wireless
wifi up

Not sure if the wnm_sleep_mode, wnm_sleep_mode_no_keys, time_advertisement, and time_zone are needed. Timezone can be found by:

cat /etc/TZ

Note I switched on 802.11w required for the main network and off for the guestnet. I also switched on the wnm_sleep_mode_no_keys for the main network and off the guest (similar to the KRACK counter measures).

See also https://w1.fi/cgit/hostap/plain/hostapd/hostapd.conf for info.

lastly I tweaked the CPUs a bit (to improve stability). Add this to /etc/rc.local:

echo ondemand > /sys/devices/system/cpu/cpufreq/policy0/scaling_governor
echo ondemand > /sys/devices/system/cpu/cpufreq/policy1/scaling_governor
echo 800000 > /sys/devices/system/cpu/cpufreq/policy0/scaling_min_freq
echo 800000 > /sys/devices/system/cpu/cpufreq/policy1/scaling_min_freq
echo 75 > /sys/devices/system/cpu/cpufreq/ondemand/up_threshold
echo 10 > /sys/devices/system/cpu/cpufreq/ondemand/sampling_down_factor

That’s it. Should be smooth sailing now. Let me know if you have any questions

P.S. Wireguard setup:

Listen port: 43648
IP addresses: 192.168.25.1/24

Also select a firewall zone. Then per peer fill in: a name, the peer public key, a IP from the range above (e.g., 192.168.25.100/32), and optionally a pre-shared key. You can generate one with:

wg keygen

On the peer side fill-in: Addresses=192.168.25.100/32, DNS=192.168.15.1, public key of de router, endpoint= public IP router
P.P.S 802.11r setup:
For the WPA2 or WPA3 personal just checkmark the “802.11r” box. Do not need to change anything else. For WPA2 enterprise I needed to add

uci set wireless.default_radio0.nasid=’MACIDWITHOUTCOLONS’
uci set wireless.default_radio0.ft_over_ds=’1′
uci set wireless.default_radio0.ft_bridge=’br-lan’
uci set wireless.default_radio0.mobility_domain=’ABCD’
uci set wireless.default_radio0.r1_key_holder=’MACIDWITHOUTCOLONS’
uci set wireless.default_radio0.ft_psk_generate_local=’0′
uci set wireless.default_radio0.pmk_r1_push=’1′
uci set wireless.default_radio0.r0kh=’FF:FF:FF:FF:FF:FF,*,32digithexkey’
uci set wireless.default_radio0.r1kh=’00:00:00:00:00:00,00:00:00:00:00:00,32digithexkey’

For radio1 add the exact same thing, keep mobility domain the same, but change the nasid and r1_key_holder to the MAC of that radio.
P.P.P.S See also https://openwrt.org/docs/guide-user/luci/getting_rid_of_luci_https_certificate_warnings and
https://jamielinux.com/docs/openssl-certificate-authority/sign-server-and-client-certificates.html