| Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
|
|
By eric.r.turner at 2003-09-05 23:51
|
|
0. Introduction
This document provides step-by-step instructions for setting up a wireless access point using a PC running GNU/Linux and an 802.11b PCI WiFi card based on the Prism 2/2.5/3 chip sets. I wanted a system that would do firewalling, and would provide broadband Internet access to wireless hosts. For this article I chose Slackware 9 with the Netgear MA311 PCI card. Other distributions of GNU/Linux and wireless cards based on the Prism 2, 2.5, and 3 chip sets should work equally well.
Please email your success stories to eric.r.turner(at)bitbreather(dot)com. I am particularly interested in putting together a table of Linux distribution/WiFi card combinations that people have successfully set up using these instructions. If you had to do ANYTHING differently, please let me know so that I can incorporate your discoveries into this document. Thanks!
1. Copyright and Disclaimer
Copyright (C) 2003 by Eric R. Turner. This document may be distributed under the terms set forth in the LDP <http://www.tldp.org/LDP/LDP-Author-Guide/copyrights.html>
This is free documentation. It is distributed in the hope that it will be useful, but without any warranty. The information in this document is correct to the best of my knowledge, but there's a always a chance I've made some mistakes, so don't follow everything too blindly, especially if it seems wrong. Nothing here should have a detrimental effect on your computer, but just in case I take no responsibility for any damages incurred from the use of the information contained herein.
2. Assumptions
2.0 Software
You should have GNU/Linux installed with at least kernel 2.4, and should be comfortable editing files and using a command line. I did a full install of Slackware 9.0, which uses the 2.4.20 kernel. You need to have the wireless tools, Ethernet support, and iptables support too.
The files and commands listed here work for Slackware 9. I will gladly include differences between Linux distributions as people send them to me. It should not be too long before this document will be equally usable for all major Linux distributions. ;-)
2.1 Hardware
You should have a computer that is PCI 2.1 compliant. Most systems with a P166 or newer will work. Anything older may not work. You can find out if your system is compliant by checking the output of
Code:
dmesg | grep "PCI BIOS"
You should see something similar to
Code:
PCI: PCI BIOS revision 2.10 entry at 0xfb6c0, last bus=0
You need to have high-speed Internet, and and Ethernet card installed. You also need to have your wireless card installed, of course!
2.2 Experience
These instructions should work for you if you know how to use a command line, edit files, install packages, and have a basic understanding of Linux networking concepts. Section 3 shows you how to set up an Ethernet card, which you may safely skip if you know how to do this already.
3. Ethernet Setup
Ethernet setup can vary greatly between Linux distributions. If you have any difficulties setting up your Ethernet card, check out http://www.linuxquestions.org. This is hands down the best Linux support site! The following sections show how Ethernet card setup is accomplished in Slackware.
3.0. The Driver
First you need to make sure that the driver for your Ethernet card is available to the kernel. The easiest way to do this is to use a loadable kernel module. In /etc/rc.d/rc.modules uncomment the line that modprobes the module for your Ethernet card. I have a Netgear FA310TX, which uses the tulip module. Verify that the module is loaded by checking the output of the lsmod. In my case, lsmod shows
3.1. Configuration
You need to configure your Ethernet settings. Edit /etc/rc.d/rc.inet1. In most cases you will simply uncomment the line for eth0 that says "USE_DHCP=yes". You can now bring your Ethernet card up by executing /etc/rc.d/rc.inet1 as root. The next time you boot this will be done for you automatically.
3.2. Test
Verify that your Ethernet card is set up by checking the output of /sbin/ifconfig. You should see eth0 with reasonable settings. You should be able to ping a host on the Internet. For example, "ping www.linuxquestions.org".
4. Wireless Setup
4.0. The Driver
You need to make sure that the driver for your wireless card is available to the kernel. Download the hostap driver from http://hostap.epitest.fi/releases/hostap-0.0.4.tar.gz. With the advent of hotplug, your WiFi card will automatically be detected as orinoco_pci. I was unable to get the orinoco drivers working for me (despite some web pages that said they should support the Prism chip sets.) If you are using the hotplug system, add orinoco_cs, orinoco_pci, and orinoco_plx to /etc/hotplug/blacklist to prevent loading these modules when the system boots.
NOTE: Originally I tried to use the linux-wlan_ng driver, but was not able to get that driver working properly with my card. Lack of documentation for the linux-wlan_ng driver did not help matters! Their hardware compatibility list at http://www.linux-wlan.org/docs/wlan_adapters.html4.html said that my Netgear MA311 was supported, but it never detected the settings properly.
You will need to have the GNU/Linux kernel source code on your system, so download the package from your distribution's web site and install it.
Uncompress and inflate the hostap source code using "tar -zxvf hostap-0.0.4.tar.gz". Change to the hostap source code directory and follow the instructions for compiling the source code and installing. You only need to compile the hostap_pci module.
After you have compiled and installed the hostap_pci module, add
Quote:
|
/sbin/modprobe hostap_pci
|
to /etc/rc.d/rc.modules so that the hostap_pci driver is loaded when the computer boots.
Now, as root, execute the
Quote:
|
/sbin/modprobe hostap_pci
|
command. Verify that the hostap_pci module is loaded using the lsmod command. Now, verify that the card is recognized by using the iwconfig command. You should see wlan0 listed in the output.
4.1. Configuration
You need to add some code to configure wlan0. The address I am using for wlan0 is 192.168.1.1/24. I like to create a separate rc script for each network interface that I need to configure. I'll create a script called rc.wlan0, and call it from the appropriate location:
Slackware: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.inet1.
Debian: place rc.wlan0 in the /etc/rc.boot/ directory. This script will automatically be run at boot.
SuSe: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.boot.
Others: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.local.
So, as root create a file called rc.wlan0 that contains the following:
Code:
#!/bin/sh
#
# rc.wlan0
#
CHANNEL=1
ESSID="mynetwork"
INTERFACE="wlan0"
IPADDR="192.168.1.1"
KEY="0123-4567-89AB-CDEF-0123-4567-89" # Change this to some random value
MODE="Master"
NETMASK="255.255.255.0"
# Determine broadcast and network addresses from the IP address and netmask:
BROADCAST=`/bin/ipmask $NETMASK $IPADDR | cut -f 1 -d ' '`
NETWORK=`/bin/ipmask $NETMASK $IPADDR | cut -f 2 -d ' '`
# Set up the WiFi card
echo "Configuring ${INTERFACE}:"
/sbin/ifconfig ${INTERFACE} ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}
/usr/sbin/iwconfig ${INTERFACE} essid ${ESSID}
/usr/sbin/iwconfig ${INTERFACE} channel ${CHANNEL}
/usr/sbin/iwconfig ${INTERFACE} mode ${MODE}
sleep 2
/usr/sbin/iwconfig ${INTERFACE} key ${KEY}
You may have noticed the sleep command in rc.wlan0. Without giving the card a short nap, I could not set the key. Someone suggested that some of the Intersil firmwares are a bit buggy. You may need to adjust the number of seconds you sleep in order to get encryption working
NOTE: If your card uses 40/64 bit encryption you just use a shorter hexadecimal string for the key (e.g. 0123-4567-89).
NOTE: There is confusion about 40 bit versus 64 bit WEP, and 104 bit versus 128 bit WEP. The Wireless 802.11b FAQ found at http://www.iss.net/wireless/WLAN_FAQ.php explains it:
Quote:
|
The original 802.11 specification defined a 40-bit key. This key is combined with a 24 bit quantity known as the "initialization vector" (which is created automatically by the wireless network hardware) and these 64 bits are used within the RC4 encryption in order to produce the encrypted data. Some vendors describe this as 64-bit encryption (since technically RC4 is using 64 bits), but others describe it as 40-bits (since the initialization vector is public unencrypted data so it does not contribute to the security of the system). Therefore 40-bit and 64-bit WEP keys are the same thing, just being described from different points of view. Most 802.11 hardware now supports a larger 104-bit key; this also has a 24-bit initialization vector and so it is also sometimes marketed as a 128-bit system.
|
One last comment on security. Even 104/128 bit WEP is not that great. You would do well to add additional layers of encryption by setting up a VPN, using ssh instead of telnet, etc. These things are beyond the scope of this document (for now), but there is a lot of info on the Net about doing this. The VPN HOWTO would probably be a good place to start.
Make sure that the file is executable using "chmod 755 rc.wlan0".
Edit the script that will call rc.wlan0 and add something similar to the following code:
Code:
if [ -x /etc/rc.d/rc.wlan0 ]; then
/etc/rc.d/rc.wlan0
fi
Bring up the wlan0 interface by executing rc.wlan0 as root.
NOTE: the link light on the wireless PCI card will always blink. For some reason I expected it to go solid!
4.2 Test
Verify that the wlan0 interface is up by checking the output of /sbin/ifconfig. Also, verify that additional wlan0 settings (essid, mode, key, channel, etc...) are correct by checking the output of iwconfig.
5. Firewalling and Masquerading
5.0. Configuration
The last thing we need to do is use iptables to enable masquerading and firewalling, so that wireless clients can access the Internet. My firewall rules may or may not be exactly what you want. If you run an email or web server, then you will need to add additional rules to allow incoming connections for those services. I have a file called /etc/rc.d/rc.firewall. Slackware 9 calls this script from /etc/rc.d/rc.inet2. Your distribution may vary. Here's the script:
Code:
#!/bin/sh
###############################################################################
#
# The syntax of iptables is basically:
#
# iptables [-t table] -ACDI CHAIN rule-specification -j TARGET [options]
#
###############################################################################
IPT=/usr/sbin/iptables
# Use a trusted PATH
PATH=/sbin:/usr/sbin:/usr/local/sbin:/bin:/usr/bin:/usr/local/bin
export PATH
# Disable IP forwarding until the rules are in place.
echo 0 > /proc/sys/net/ipv4/ip_forward
# Install the necessary kernel modules.
/sbin/modprobe ip_tables
/sbin/modprobe ip_nat_ftp
/sbin/modprobe ip_conntrack_ftp
# Flush the tables and delete the non-builtin chains
# to ensure that we are starting from scratch.
for i in filter nat mangle
do
$IPT --table $i --flush
$IPT --table $i --delete-chain
done
# Set up a user-defined chain called "rules" in the filter table that
# prevents anyone from connecting to local computers from the outside, but
# allows local computers to establish connections to the outside. We'll
# specify that the INPUT and FORWARD chains use the rules defined in our
# "rules" chain after we've established those rules.
$IPT --table filter --new-chain rules
# Accept traffic (and related traffic on different ports) coming in on
# any interface if the traffic has been seen before in both directions.
$IPT --table filter \
--append rules \
--match state \
--state ESTABLISHED,RELATED \
--jump ACCEPT
# Accept new traffic coming in on any interface except eth0 (the
# Internet interface).
$IPT --table filter \
--append rules \
--in-interface ! eth0 \
--match state \
--state NEW \
--jump ACCEPT
# The catch-all rule: drop new or invalid traffic coming in on any
# network interface.
$IPT --table filter \
--append rules \
--match state \
--state NEW,INVALID \
--jump DROP
# Use the rules defined in the "rules" chain for the INPUT and
# FOREWARD chains.
$IPT --table filter \
--append INPUT \
--jump rules
$IPT --table filter \
--append FORWARD \
--jump rules
# Make sure the default policy for the filter table's INPUT and
# FORWARD chains is DROP rather than ACCEPT, in case we misconfigure
# the firewall.
$IPT --table filter \
--policy INPUT DROP
$IPT --table filter \
--policy FORWARD DROP
# Add masquerading to the POSTROUTING chain in the nat table.
$IPT --table nat \
--append POSTROUTING \
--out-interface eth0 \
--source 192.168.1.0/24 \
--destination 0/0 \
--jump MASQUERADE
# Enable IP forwarding
echo 1 > /proc/sys/net/ipv4/ip_forward
Make the file executable with "chmod 755 /etc/rc.d/rc.firewall". Now, execute /etc/rc.d/rc.firewall. You should have a working wireless access point!
5.1. Test
Double check the output of lsmod. Here is my lsmod:
Quote:
Module Size Used by Not tainted
hostap_crypt_wep 3020 1 (autoclean)
ipt_MASQUERADE 1272 2 (autoclean)
ipt_state 536 4 (autoclean)
iptable_mangle 2072 0 (autoclean) (unused)
iptable_filter 1644 1 (autoclean)
ip_conntrack_ftp 3888 1 (autoclean)
ip_nat_ftp 2928 0 (unused)
iptable_nat 14904 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack 18016 3 [ipt_MASQUERADE ipt_state ip_conntrack_ftp ip_nat_ftp iptable_nat]
ip_tables 11768 7 [ipt_MASQUERADE ipt_state iptable_mangle iptable_filter iptable_nat]
uhci 24560 0 (unused)
usbcore 58144 1 [uhci]
hostap_pci 33716 1
hostap 74372 0 [hostap_pci]
hostap_crypt 1360 0 [hostap_crypt_wep hostap]
tulip 41248 2
|
Double check the output of ifconfig. Here is my ifconfig:
Quote:
eth0 Link encap:Ethernet HWaddr ??:??:??:??:??:??
inet addr:???.???.???.??? Bcast:???.???.???.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:112346 errors:0 dropped:0 overruns:0 frame:0
TX packets:121312 errors:1 dropped:0 overruns:1 carrier:0
collisions:5131 txqueuelen:100
RX bytes:19980541 (19.0 Mb) TX bytes:68587897 (65.4 Mb)
Interrupt:10 Base address:0x6400
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)
wlan0 Link encap:Ethernet HWaddr ??:??:??:??:??:??
inet addr:192.168.1.1 Bcast:192.168.1.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:107421 errors:0 dropped:725 overruns:0 frame:0
TX packets:106212 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:53350539 (50.8 Mb) TX bytes:47579017 (45.3 Mb)
Interrupt:12 Memory:c6d9d000-c6d9e000
|
Double check the output of iwconfig. Here is my iwconfig:
Quote:
lo no wireless extensions.
eth0 no wireless extensions.
wlan0 IEEE 802.11b ESSID:"bitbreather"
Mode:Master Frequency:2.412GHz Access Point: ??:??:??:??:??:??
Bit Rate:11Mb/s Sensitivity=1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:????-????-????-????-????-????-?? Encryption mode:restricted
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:6 Rx invalid frag:1
Tx excessive retries:4 Invalid misc:676 Missed beacon:0
|
Set up a wireless host to use your new access point. You'll need to use the same settings on both the access point and the client, except that the client will need to be in Managed mode. The client will need an IP address from the same range (e.g. 192.168.1.2) and a default gateway of 192.168.1.1.
6. To Do
Set up DHCP to configure wireless clients automatically. Set up DNS so that my wireless clients have DNS entries. Set up VPN for additional security.
|
|
|
|
All times are GMT -5. The time now is 06:24 PM.
|
|
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
|
Oracle Magazine contains technology strategy articles, sample code, tips, Oracle and partner news, how to articles for developers and DBAs, and more. Click Here to receive a complimentary subscription courtesy of LQ.
|
|
 Latest Threads
LQ News
LQ Podcast
LQ Radio
|
|
Few questions:
1: In your setup what range of IP Addresses are given out as DHCP addresses?
2: To change the broadcast IP range do you change the following in rc.wlan0 & rc.firewall?
/etc/rc.d/rc.wlan0
# Original document had this: IPADDR=192.168.1.1
IPADDR=192.168.###.1
/etc/rc.d/rc.firewall
# Add masquerading to the POSTROUTING chain in the nat table.
$IPT --table nat \
--append POSTROUTING \
--out-interface eth0 \
# here is the change ### = ### in IPADDR= in rc.wlan0
# old line was: --source 192.168.1.0/24 \
--source 192.168.###.0/24 \
--destination 0/0 \
--jump MASQUERADE
Currently I don't have DHCP set up for my wireless network (that's why it's in the "to do" section.) If I were to set up DHCP my range of valid host IP addresses would be 192.168.1.2 to 192.168.1.254. That's because I use a 24 bit network mask, which leaves the last eight bits available to create unique host addresses. One of those addresses is considered the "network" address (192.168.1.0). One of those addresses is taken by my Linux box (192.168.1.1) and the other is taken by the broadcast address (192.168.1.255).
I'm not sure what you mean by changing your broadcast IP range. If you're using a 24 bit network mask then your broadcast address is 192.168.1.255. If you're using a different number of bits for the network portion of your address then you'll need to change your broadcast address so that all non-network bits are set.
Maybe this example will help. I'll show the binary addresses with braces around the host portion of the addresses, then I'll show the dotted quad equivalence:
Let's say that you need addresses for more than 254 hosts (.1 throught .254), so you make your network mask 23 bits instead of 24 bits. That means you can use 9 bits to create 510 distinct host addresses instead of 8 bits to create 254 distinct host addresses.
Your network address (where the host portion is all zeros) in binary will be 11000000.10101000.0000001[0.00000000] which is 192.168.2.0 in dotted quad notation. Your broadcast address (where the host portion is all ones) in binary will be 11000000.10101000.0000001[1.11111111] which is 192.168.3.255 in dotted quad notation. The valid hosts are 11000000.10101000.0000001[0.00000001] which is 192.168.2.1 to 11000000.10101000.0000001[1.11111110] which is 192.168.3.254.
It's easier just to stick with a 24 bit network mask unless you really need more addresses than that. You should consult a good TCP/IP administration book. O'reilly has a pretty good one.
Maybe that's why my own adapter works when just manually installed, and not after reboot.
Nice document there !!! I might be tempted to by a WiFi card just to try it... My question is: did you ever thought of how many clients you can hook to this access point ?? I would be interested to, mayby use your technology to offer hotspoting in my area...
Tks for any replies!
Current specs : 4 atheros Mini PCI cards running on slack 10.1 kernal 2.4
Running Madwifi drivers
Later on I am goign to try to fire up all of those cards as separate access points and see if I actually get an internet connection with them, it apears that I would but you never know since i am not sure if I have an ip address or not.
CONCERNS!
You said its not done with DHCP so would that mean I would have to assign each client an ip address in the 192.168.1.xx range in order to reach the internet?????????????????????????
Problems!
My only problem is the calling code that I added to the rc.inet1 file it calls the rc.wlan0 file on boot but says that my interface is not found, then apears to be up when I iwconfig it but nothing can connect! Its easy enough to fix though I just took the code out of rc.inet1 and just manually did a ./rc.wlan0 and all is well, its not a big deal since I dont really need the access point to go up at boot automatically but if somone has a workaround would be helpfull to post it or an explanation of why it wouldnt find my card at boot but does just fine afterwards
Your search did not match any documents.
* Make sure all words are spelled correctly.
* Try using fewer words.
* Try using more general keywords.
* Try different keywords or spellings.
is there another card that will work like the ma311 from netgear?
I went to netgear.com and looked in their product finder on the first page. The product finder is just above the product search. I clicked on the button and found the ma111. Here is the page:
http://netgear.com/products/details/MA111.php
I wrote the tutorial a couple of years ago, so I don't think that the card is in production anymore. Anything with a Prism chipset should work, I think.
i origonaly posted in the wireless networking section about this with no answers then found your tutorial i used to run slackware it was my first distro i installed and ran for about a year any ways thanks for the info keep up the good work