In our previous installments we got our little Soekris board up and running, installed Pyramid Linux, and built a nice stout iptables firewall. Today we'll build a wireless access point, so that you can have both wired and wireless clients on your LAN.
Some security-conscious admins prefer using a standalone WAP, rather than combining it with a firewall/gateway. It's simpler to build a dedicated WAP, so that's what we'll do today. You are welcome to put it together however you like.
Before we dive into WAP-ing, I had an email conversation with the helpful Matt Westervelt of Metrix
and got some useful tips to share.
Pyramid is based on stock Ubuntu packages. It does not come with any package management tools, not even dpkg, but that's just a small inconvenience. Just boot up the Ubuntu live CD, and copy the binaries you want to your Pyramid box. You'll find out quickly if you need some additional libraries by running the binaries and generating some error messages, or use the ldd command:
$ ldd /usr/bin/arping linux-gate.so.1 => (0xffffe000) libresolv.so.2 => /lib/tls/i686/cmov/libresolv.so.2 (0xb7f91000) libc.so.6 => /lib/tls/i686/cmov/libc.so.6 (0xb7e62000) /lib/ld-linux.so.2 (0x80000000)
To see all the files in a package run dpkg -L [packagename. apt-file search [filename] tells you what package a file belongs to.
Kernel modules can be copied in the same manner; just remember to run modules-update so that Pyramid can find them. Then do the usual fiddling with modprobe or /etc/modules to load them.
You might even consider building a custom kernel with everything statically-compiled, and leaning it down to just what you need. Start by copying /proc/config.gz as a starting config-2.6* file.
The Web GUI has limited configuration functionality, and it's going to stay that way. A nice feature of the Web GUI, according to Mr. Westervelt, is "...it uses the standard config files on the box. If you are a keyboard cowgirl, you won't have to worry about some hidden directory that is switching everything back to Web defaults. If you are hand-editing and want to use the Web GUI later, you should take care to read the comments in the files."
Supported Wireless NICs
Our example board has an Atheros 5004 802.11a/b/g mini-PCI (See Part 1 for specs and photos.) Atheros and Prism are good wireless chipsets for a Linux access point because both support HostAP mode. Not all WICs can do this. Both are well-supported in Linux. The nice folks at Atheros support the development of open source drivers. The Prism overlords do not, forcing the excellent Prism54 devs to reverse-engineer everything.
The MadWiFi driver has a closed binary hardware abstraction layer (HAL). The rest of it is dual-licensed under both the GPL and the BSD license. The closed binary bit is there to meet FCC regulations. See Madwifi.org/wiki/HAL for details.
Because a device with multiple network interfaces must assign each interface to a different subnet, we can't just slap stuff together and watch it work. We have to build an Ethernet bridge between the wireless and the wired NICs. There are also a number of Pyramid Linux-specific tweaks, so follow along carefully.
This is a complete example /etc/network/interfaces file. Copy this exactly, except you must substitute your own LAN addressing and ESSID:
#/etc/network/interfaces #simple bridge between #eth0 and ath0 auto lo iface lo inet loopback auto br0 iface br0 inet static address 192.168.1.10 network 192.168.1.0 netmask 255.255.255.0 broadcast 192.168.1.255 gateway 192.168.1.1 bridge_ports ath0 eth0 post-down wlanconfig ath0 destroy pre-up wlanconfig ath0 create wlandev wifi0 wlanmode ap pre-up iwconfig ath0 essid "alrac-net" channel 01 rate auto rts off frag off pre-up ifconfig ath0 up pre-up sleep 3
That's right, that's the whole thing. The default file comes with configurations for every possible network interface, which just get in the way. Chuck 'em all and start over. This configuration treats br0 like an ordinary Ethernet interface, and allows you to connect to it like any other host on your LAN. It has all the standard network settings including your Internet gateway, so your wireless clients have Internet access.
DHCP With dnsmasq
Pyramid defaults to using dnsmasq for name services, which is a nice thing. dnsmasq is compact and simple to use. The first thing to do is to disable dhcrelay, because it will derail wireless clients from getting a DNS server from dnsmasq. Go into /etc/rc2.d and change the dhcrelay link from Start to Kill. Remember to change the filesystem to read-write first:
pyramid:~# rw pyramid:~# mv /etc/rc2.d/S20dhcrelay /etc/rc2.d/K20dhcrelay
Now edit /etc/dnsmasq.conf. It's a big file chock-full of useful comments, so the easy way is to rename the existing file and then create a new empty one:
pyramid:~# mv /etc/dnsmasq.conf /etc/dnsmasq.conf-old pyramid:~# nano /etc/dnsmasq.conf
Populate it with these entries. Use your own DNS servers for "server", your own domain name, and your own addresses for the DHCP range:
domain-needed bogus-priv server=188.8.131.52 server=184.108.40.206 local=/localnet/ bind-interfaces expand-hosts domain=alrac.net dhcp-range=192.168.1.100,192.168.1.200,255.255.255.0,10h dhcp-lease-max=100 no-negcache
(Click for a larger image)
dnsmasq does not have the usual startup files in /etc/init.d, but instead is started from /etc/inittab.
Now what? Well, you probably want to encrypt your connection, especially since your wireless clients are inside your firewall. If you are fortunate to have devices that are "Wi-Fi CERTIFIED" they support WPA2, which is a good thing. WPA2 provides strong encryption and is easy to administer.
If you have older WICs like my Prism I, which is not upgradeable to WPA2, there are still a number of options, like SSH tunneling and OpenVPN tunnels. See Resources for a number of articles on locking down your wireless network.
This is not a good setup for providing wide-open wireless access to the world. Pyramid comes with both NoCat and WiFiDog, so if you feel led to provide wireless Internet for the masses, use these and segregate the wireless network from your wired network. Unless you like being naked and helpless on the Internet.