Building a Linux Wireless Access Point

Over the past few years, wireless networking has made everyone’s lives easier, thanks to being able to connect to the Internet just about anywhere. If you run a Linux shop and want to go wireless, this five-part series will show you how to set up a wireless access point. It is excerpted from chapter four of the Linux Networking Cookbook, written by Carla Schroder (O’Reilly; ISBN: 0596102488. Copyright © 2008 O’Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O’Reilly Media.

4.0 Introduction

Wireless networking is everywhere. Someday, we’ll have built-in wireless receivers in our heads. Meanwhile, times are improving for Linux wireless administrators, if you shop carefully and buy wireless interface cards with good Linux support and WPA2 support. Using well-supported wireless interfaces means you’ll be able to dive directly into configuring your network instead of hassling with funky driver problems. This chapter shows how to build a secure, flexible, robust combination wireless access point/router/Internet firewall using Pyramid Linux on a Soekris single-board computer. It supports wireless and wired Linux, Windows, and Mac OS X clients sharing a broadband Internet connection and LAN services. Just one big happy clump of wired and wireless clients together in harmony.

Why go to all this trouble? Because you’ll have more control, all the powerful features you could ever want, and save money.

You don’t have to have an all-in-one-device. The recipes in this chapter are easy to split apart to make separate devices, such as a dedicated firewall and a separate wireless access point.

I use Pyramid Linux, Soekris or PC Engines WRAP boards, and Atheros wireless interfaces because they are battle-tested and I know they work well. See Chapter 2 to learn how to use these excellent little routerboards.

The example configurations for the different services, such as DHCP, DNS, authentication, iptables, and so forth work fine on other Debian Linux-based distributions, and any x86 hardware. Adapting them for other distributions means figuring out different ways of configuring network interface cards; configuring applications like hostapd, dnsmasq, and iptables is pretty much the same everywhere.

Some folks are bit confused as to what “native Linux support” means. It doesn’t mean using ndiswrapper, which is a Linux wrapper around Windows binary drivers. I wouldn’t use it unless I were down to my last dime and couldn’t afford to buy an interface card with native Linux support. It’s only good on the client side, doesn’t support all devices or features, and extracting the Windows binary drivers is a fair bit of work. Even worse, it rewards vendors who don’t support Linux customers.

Currently, the Linux-friendliest wireless chipset manufacturers, in varying degrees, are Ralink, Realtek, Atheros, Intel, and Atmel. Then there are reverse-engineered GPL Linux drivers for the popular Broadcom and Intersil Prism chips.

While all of these have open source drivers (http://opensource.org), the Atheros chips require a closed binary Hardware Access Layer (HAL) blob in the Linux kernel. Older Intel chips need a proprietary binary regulatory daemon in user-space, but the current generation do not. Ralink and Realtek handle this job in the radio’s firmware. Supposedly, this is to meet FCC requirements to prevent users from changing frequencies and channels outside of the allowed range. Putting a closed blob in the kernel makes writing and debugging drivers for Linux more difficult, as key parts of the radio’s functions are hidden. Some additional concerns are that the binary blob taints the kernel, a buggy kernel blob can cause a kernel panic, and only the vendor can fix it. Buggy firmware is not as problematic because it just means the device won’t work. The issue of the regulatory blob is a moving target and subject to change. (Go to the See Also section for some interesting reading on these issues.)

I use the Wistron CM9 mini-PCI interface (based on the Atheros AR5213) in my wireless access points because it gives full functionality: client, master, ad hoc, raw mode monitoring, WPA/WPA2, and all three WiFi bands (a/b/g) are supported. On the Linux client side, any of the supported wireless interfaces will work fine. Be careful with USB WICs—some work fine on Linux, some don’t work at all. Get help from Google and the resources listed at the end of this introduction.

Discovering the chipset in any particular device before purchase is a real pain—most vendors don’t volunteer the information, and love to play “change the chipset” without giving you an easy way to find out before making a purchase. To get up and running with the least hassle, consult a hardware vendor that specializes in Linux-supported wireless gear.

An inexpensive but powerhouse alternative to the Soekris and PC Engines router-boards are those little 4-port consumer wireless broadband routers, like the Linksys WRT54G series. There are many similar ones under various brand names, and you’ll find some for under $50. You don’t get all the nice flexibililty that you get with the bigger routerboards, but they’re a heck of a value and make excellent dedicated wireless access points. The key to converting these from mediocre home-user boxes into $500 powerhouses is replacing the firmware with OpenWRT (http://openwrt.org/) or DD-WRT (www.dd-wrt.com/). These are open source, free-of-cost (though sending a bit of cash their way wouldn’t hurt any feelings) firmwares designed especially for these little routers. With the new firmware, you can perform amazing feats of packet filtering, bandwidth-shaping, wireless security, VLANs, name services, and much more.

{mospagebreak title=Security} 

Security is extra important when you’re setting up wireless networking. Your bits are wafting forth into the air, so it’s dead easy for random snoops to eavesdrop on your network traffic. Unsecured wireless access points expose you to two different threats:

  1. LAN intrusions. Your data might get stolen, or your LAN hosts turned into malware-spewing botnets, or used as rogue MP3 and porn servers.
  2. Loss of bandwidth. It’s nice to share, but why allow your network performance to suffer because of some freeloader? Or worse, allow your bandwidth to be used for ill purposes?

If you wish to provide an open access point for anyone to use, do it the smart way. Wall it off securely from your LAN, and limit its bandwidth. One way to do this is to use a second wireless interface, if your routerboard supports it, or a dedicated access point, then use iptables to forward traffic from it to your WAN interface and block access to your LAN. Pyramid Linux comes with the WiFiDog captive portal, which you can use to remind your visitors of your generosity. Use the web interface to set it up; it takes just a few mouse clicks.

Encrypting and authenticating your wireless traffic is your number one priority. How do you do this? In the olden days, we had Wired Equivalent Privacy (WEP). Using WEP is barely better than nothing—it is famously weak, and can be cracked in less than 15 minutes with tools that anyone can download, like AirSnort and WEPCrack. Don’t use WEP. Upgrade to devices that support Wi-Fi Protected Access (WPA).

There are two flavors of WPA: WPA and WPA2. WPA is an upgrade of WEP; both use RC4 stream encryption. It was designed to be a transitional protocol between WEP and WPA2. WPA is stronger than WEP, but not as strong as WPA2. WPA2 uses a new strong encryption protocol called Counter Mode with CBC-MAC Protocol (CCMP), which is based on Advanced Encryption Standard (AES). WPA2 is the complete implementation of the 802.11i standard. See Matthew Gast’s excellent book 802.11 Wireless Networks: The Definitive Guide (O’Reilly) for more information on these. The short story is that using WPA2 gives the best protection.

Using modern wireless devices that support WPA2 makes it easy to encrypt and authenticate all of your wireless traffic. WPA supports two different types of authentication: WPA-PSK (aka WPA-Personal, which uses preshared keys) and WPA-EAP (aka WPA-Enterprise, which uses the Extensible Authentication Protocol).

WPA-Personal is simple to set up. It depends on a shared key, which is a passphrase, and which must be distributed to all authorized users. There is no built-in automated method to distribute the keys; you have to do it manually, or write a clever script, or use something like cfengine. The obvious flaw in this scheme is everyone has the same key, so anytime you need to change the key it has to be changed on all clients. However, there is a way to give users unique keys—use hostapd, the host access point daemon. It’s part of the HostAP suite of wireless drivers and utilities, and it includes a simple mechanism for managing multiple keys. This is a slick, simple way to implement some good, strong security.

WPA-Enterprise requires an authentication server, most commonly a RADIUS server. It’s more work to set up, but once it’s up, it’s easier to manage users and keys. A RADIUS server is overkill if you’re running a single access point, but it’s a lifesaver if your network has several points of entry, such as dial-up, a VPN gateway, and multiple wireless access points, because all of them can use a single RADIUS server for authentication and authorization.

HostAP includes an embedded RADIUS server. Other access points can use it just like a standalone RADIUS server.

wpa_supplicant handles the interaction between the client and the server. wpa_supplicant is included in virtually all Linux distributions, though it may not be installed by default. Mac OS X and Windows also have supplicants. The word supplicant was chosen deliberately, with its connotations of humbly requesting permission to enter your network.

See Also

These articles discuss the “binary blob” issue:

  •  “OpenBSD: wpi, A Blob Free Intel PRO/Wireless 3945ABG Driver”:

       http://kerneltrap.org/node/6650
  •  “Feature: OpenBSD Works To Open Wireless Chipsets”:

       http://kerneltrap.org/node/4118

For building your own wireless access points and getting product information in plain English without marketing guff, check out specialty online retailers like:

  1. Metrix.net at http://metrix.net/metrix/ offers customized wireless access points and accessories based on Pyramid Linux, and custom services
  2. Netgate.com: http://netgate.com/
  3. Mini-box.com: http://www.mini-box.com/
  4. Routerboard.com: http://www.routerboard.com 
  5. DamnSmallLinux.org store: http://www.damnsmallinux.org/store/

These sites identify wireless chipsets by brand name and model number:

  1. MadWifi.org for Atheros devices: http://madwifi.org/
  2. Atheros.com: http://www.atheros.com/
  3. rt2x00 Open Source Project for Ralink devices:

       http://rt2x00.serialmonkey.com/wiki/index.php?title=Main_Page 
  4. FSF-approved wireless interface cards:

       http://www.fsf.org/resources/hw/net/wireless/cards.html

General wireless resources:

  1. Ralinktech.com: http://www.ralinktech.com/
  2. Linux on Realtek: http://rtl8181.sourceforge.net/
  3. Realtek.com: http://www.realtek.com.tw/default.aspx
  4. FS List of supported wireless cards: http://www.fsf.org/resources/hw/net/wireless/ cards.html
  5. Seattle Wireless, a great resource for all things wireless, and especially building community networks: http://seattlewireless.net/
  6. LiveKiosk: http://www.livekiosk.com
  7. Wireless LAN resources for Linux, the gigantic mother lode of information for wireless on Linux: http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/

{mospagebreak title=4.1 Building a Linux Wireless Access Point}

Problem

You don’t want to dink around with prefab commercial wireless access points. They’re either too simple and too inflexible for your needs, or too expensive and inflexible. So, like a good Linux geek, you want to build your own. You want a nice quiet little compact customizable box, and you want to be able to add or remove features as you need, just like on any Linux computer. For starters, you want everything on a single box: authenticated wireless access point, broadband Internet connection sharing, iptables firewall, and name services.

Solution

  1. Install Pyramid Linux on a Soekris or PC Engines WRAP single-board computer.
  2. Install an Atheros-based wireless mini-PCI card and connect an external antenna.
  3. Configure and test LAN connectivity, and DHCP and DNS.
  4. Keep your router off the Internet until it’s properly hardened, firewalled, and tested. 
  5. Add Internet connectivity, and voilà! It is done.

Continue on to the next recipes to learn how to do all of these things.

Discussion

If you prefer separating out your services on different physical boxes, such as wireless access point, firewall, and nameserver, the recipes in this chapter are easy to adapt to do this.

Soekris has two series of routerboards: 45xx and 48xx. Choose whatever model meets your needs. At a minimum, you need 64 MB RAM, a Compact Flash slot, a mini-PCI slot, and two Ethernet ports. More powerful CPUs and more RAM are always nice to have. A second mini-PCI slot lets you add a second wireless interface. PCMCIA slots give you more flexibility because these support both wired and wireless interfaces.

The 45xx boards have 100 or 133 MHz CPUs and 32 to 128 MB SDRAM. The 48xx boards have 233 or 266 MHz processors and 128 to 256 MB SDRAM. You’ll see network speeds top out on the 45xx boards around 17 Mbps, and the more powerful 48xx boards will perform at up to 50 Mbps. 17 Mbps is faster than most cable or DSL Internet connections. For ordinary web surfing and email, the 45xx boards are fine. If you’re running VoIP services, doing online gaming, serving more than 50 users, or running any peer protocols like BitTorrent, then go for the 48xx boards.

PC Engines WRAP boards are similar to the Soekris boards, and are usually a bit less expensive. Both use Geode CPUs, are about the same size, and similarly featured. Both vendors will customize the boards pretty much however you want.

See Also
  1. Chapter 2
  2. Chapter 17
  3. Soekris.com: http://www.soekris.com/
  4. MadWifi.org: http://madwifi.org/

{mospagebreak title=4.2 Bridging Wireless to Wired}

Problem

How do you integrate your wired and wireless clients so that they share an Internet connection and LAN services all in one big happy subnet? You know that when you have multiple Ethernet interfaces on the same box they cannot all be on the same subnet, but must all have addresses from separate subnets. You want everyone all in a single subnet, and don’t want a lot of administration headaches, so how will you do this?

Solution

Your routerboard needs at least three network interfaces: your Atheros interface, plus two Ethernet interfaces. ath0 is your wireless interface, eth0 is the LAN interface, and eth1 is your WAN interface.

What we will do is build an Ethernet bridge between ath0 and eth0. Copy this example /etc/network/interfaces, substituting your own LAN addresses and your own ESSID. Remember to run /sbin/rw first to make the Pyramid filesystem writable:

  pyramid:~# /sbin/rw
  pyramid:~# nano /etc/network/interfaces

  ##/etc/network/interfaces
  ## wireless bridge configuration
  auto lo
  iface lo inet loopback

  auto br0
 
iface br0 inet static
         address 192.168.1.50
         network 192.168.1.0
         netmask 255.255.255.0
         broadcast 192.168.1.255
         bridge_ports ath0 eth0
          post-down wlanconfig ath0 destroy
          pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap
          pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto
          pre-up ifconfig ath0 up
          pre-up sleep 3

You can test this now by networking with some LAN hosts that have static IP addresses. First restart networking on the router:

  pyramid:~# /etc/init.d/networking restart

This creates a wide-open wireless access point. Point your clients to 192.168.1.50 as the default gateway, and you should be able to easily join any wireless clients to your LAN, and ping both wired and wireless PCs. When you’re finished, remember to return the filesystem to read-only:

  pyramid:~# /sbin/ro

Discussion

This recipe is totally insecure, but it lets you test your bridge and wireless connectivity before adding more services.

Let’s review the options used in this configuration:

bridge_ports

Define the two interfaces to bridge.

post-down wlanconfig ath0 destroy

This command tears down the access point when the network interfaces go down. wlanconfig is part of MadWiFi-ng. Use it to create, destroy, and manage access points. With wlanconfig, you can have multiple access points on a single device.

pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap

wifi0 is the name the kernel gives to your Atheros interface, which you can see with dmesg. Next, wlanconfig creates the virtual access point, ath0, on top of wifi0.

pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto

Assign the ESSID, channel, and bit-rate. To see the channels, frequencies, and bit-rates supported by your interface card, use this command:

  pyramid:~# wlanconfig ath0 list chan

How do you know which channel to use? If you have only one access point, channel 1 should work fine. If you have up to three, try using channels 1, 6, and 11. For more complex networks, please refer to Matthew Gast’s excellent book, 802.11 Wireless Networks: The Definitive Guide (O’Reilly):

pre-up ifconfig ath0 up
   Bring up ath0 before the bridge comes up.

pre-up sleep 3
   Brief pause to make sure that everything comes up 
   in order.

You don’t have to build the bridge in the traditional way, by configuring eth0 with a zero-IP address, or bringing it up before the bridge is built, because scripts in /etc/ network/if-pre-up.d handle that for you.

I’m sure some of you are wondering about ebtables. ebtables is like iptables for Ethernet bridges. iptables cannot filter bridge traffic, but ebtables can. There are many ingenious ways to use ebtables and Ethernet bridges in your network. In this chapter, I’m leaving ebtables out on purpose because we will be running an iptables Internet firewall on our access point. ebtables is not suitable for an Internet firewall, and trying to use both on the same box is too complicated for this old admin.

See Also
  • Pyramid Linux does not include manpages, so you should either install the applications in this chapter on a PC, or rely on Google
  • wlanconfig is part of MadWiFi-ng
  • man 8 brctl for bridge options
  • iwconfig is part of the wireless-tools package
  • man 8 iwconfig
  • Pyramid Linux: http://pyramid.metrix.net/
  • Recipe 3.2
  • 802.11 Wireless Networks: The Definitive Guide, by Matthew Gast (O’Reilly)

Please check back for the next part of this series.

[gp-comments width="770" linklove="off" ]

antalya escort bayan antalya escort bayan Antalya escort diyarbakir escort