Wireless networking is everywhere. Someday, we’ll have built-in wireless receivers in our heads. Meanwhile, times are improving for Linux wireless administrators, if you shop carefully and buy wireless interface cards with good Linux support and WPA2 support. Using well-supported wireless interfaces means you’ll be able to dive directly into configuring your network instead of hassling with funky driver problems. This chapter shows how to build a secure, flexible, robust combination wireless access point/router/Internet firewall using Pyramid Linux on a Soekris single-board computer. It supports wireless and wired Linux, Windows, and Mac OS X clients sharing a broadband Internet connection and LAN services. Just one big happy clump of wired and wireless clients together in harmony.
Why go to all this trouble? Because you’ll have more control, all the powerful features you could ever want, and save money.
You don’t have to have an all-in-one-device. The recipes in this chapter are easy to split apart to make separate devices, such as a dedicated firewall and a separate wireless access point.
I use Pyramid Linux, Soekris or PC Engines WRAP boards, and Atheros wireless interfaces because they are battle-tested and I know they work well. See Chapter 2 to learn how to use these excellent little routerboards.
The example configurations for the different services, such as DHCP, DNS, authentication, iptables, and so forth work fine on other Debian Linux-based distributions, and any x86 hardware. Adapting them for other distributions means figuring out different ways of configuring network interface cards; configuring applications like hostapd, dnsmasq, and iptables is pretty much the same everywhere.
Some folks are bit confused as to what “native Linux support” means. It doesn’t mean using ndiswrapper, which is a Linux wrapper around Windows binary drivers. I wouldn’t use it unless I were down to my last dime and couldn’t afford to buy an interface card with native Linux support. It’s only good on the client side, doesn’t support all devices or features, and extracting the Windows binary drivers is a fair bit of work. Even worse, it rewards vendors who don’t support Linux customers.
Currently, the Linux-friendliest wireless chipset manufacturers, in varying degrees, are Ralink, Realtek, Atheros, Intel, and Atmel. Then there are reverse-engineered GPL Linux drivers for the popular Broadcom and Intersil Prism chips.
While all of these have open source drivers (http://opensource.org), the Atheros chips require a closed binary Hardware Access Layer (HAL) blob in the Linux kernel. Older Intel chips need a proprietary binary regulatory daemon in user-space, but the current generation do not. Ralink and Realtek handle this job in the radio’s firmware. Supposedly, this is to meet FCC requirements to prevent users from changing frequencies and channels outside of the allowed range. Putting a closed blob in the kernel makes writing and debugging drivers for Linux more difficult, as key parts of the radio’s functions are hidden. Some additional concerns are that the binary blob taints the kernel, a buggy kernel blob can cause a kernel panic, and only the vendor can fix it. Buggy firmware is not as problematic because it just means the device won’t work. The issue of the regulatory blob is a moving target and subject to change. (Go to the See Also section for some interesting reading on these issues.)
I use the Wistron CM9 mini-PCI interface (based on the Atheros AR5213) in my wireless access points because it gives full functionality: client, master, ad hoc, raw mode monitoring, WPA/WPA2, and all three WiFi bands (a/b/g) are supported. On the Linux client side, any of the supported wireless interfaces will work fine. Be careful with USB WICs—some work fine on Linux, some don’t work at all. Get help from Google and the resources listed at the end of this introduction.
Discovering the chipset in any particular device before purchase is a real pain—most vendors don’t volunteer the information, and love to play “change the chipset” without giving you an easy way to find out before making a purchase. To get up and running with the least hassle, consult a hardware vendor that specializes in Linux-supported wireless gear.
An inexpensive but powerhouse alternative to the Soekris and PC Engines router-boards are those little 4-port consumer wireless broadband routers, like the Linksys WRT54G series. There are many similar ones under various brand names, and you’ll find some for under $50. You don’t get all the nice flexibililty that you get with the bigger routerboards, but they’re a heck of a value and make excellent dedicated wireless access points. The key to converting these from mediocre home-user boxes into $500 powerhouses is replacing the firmware with OpenWRT (http://openwrt.org/) or DD-WRT (www.dd-wrt.com/). These are open source, free-of-cost (though sending a bit of cash their way wouldn’t hurt any feelings) firmwares designed especially for these little routers. With the new firmware, you can perform amazing feats of packet filtering, bandwidth-shaping, wireless security, VLANs, name services, and much more.