Visit the LQ Articles and Editorials section
Go Back > Linux Answers > Networking
User Name


By eric.r.turner at 2003-09-05 23:51
0. Introduction

This document provides step-by-step instructions for setting up a wireless access point using a PC running GNU/Linux and an 802.11b PCI WiFi card based on the Prism 2/2.5/3 chip sets. I wanted a system that would do firewalling, and would provide broadband Internet access to wireless hosts. For this article I chose Slackware 9 with the Netgear MA311 PCI card. Other distributions of GNU/Linux and wireless cards based on the Prism 2, 2.5, and 3 chip sets should work equally well.

Please email your success stories to eric.r.turner(at)bitbreather(dot)com. I am particularly interested in putting together a table of Linux distribution/WiFi card combinations that people have successfully set up using these instructions. If you had to do ANYTHING differently, please let me know so that I can incorporate your discoveries into this document. Thanks!

1. Copyright and Disclaimer

Copyright (C) 2003 by Eric R. Turner. This document may be distributed under the terms set forth in the LDP <>

This is free documentation. It is distributed in the hope that it will be useful, but without any warranty. The information in this document is correct to the best of my knowledge, but there's a always a chance I've made some mistakes, so don't follow everything too blindly, especially if it seems wrong. Nothing here should have a detrimental effect on your computer, but just in case I take no responsibility for any damages incurred from the use of the information contained herein.

2. Assumptions

2.0 Software

You should have GNU/Linux installed with at least kernel 2.4, and should be comfortable editing files and using a command line. I did a full install of Slackware 9.0, which uses the 2.4.20 kernel. You need to have the wireless tools, Ethernet support, and iptables support too.

The files and commands listed here work for Slackware 9. I will gladly include differences between Linux distributions as people send them to me. It should not be too long before this document will be equally usable for all major Linux distributions. ;-)

2.1 Hardware

You should have a computer that is PCI 2.1 compliant. Most systems with a P166 or newer will work. Anything older may not work. You can find out if your system is compliant by checking the output of
dmesg | grep "PCI BIOS"
You should see something similar to
   PCI: PCI BIOS revision 2.10 entry at 0xfb6c0, last bus=0
You need to have high-speed Internet, and and Ethernet card installed. You also need to have your wireless card installed, of course!

2.2 Experience

These instructions should work for you if you know how to use a command line, edit files, install packages, and have a basic understanding of Linux networking concepts. Section 3 shows you how to set up an Ethernet card, which you may safely skip if you know how to do this already.

3. Ethernet Setup

Ethernet setup can vary greatly between Linux distributions. If you have any difficulties setting up your Ethernet card, check out This is hands down the best Linux support site! The following sections show how Ethernet card setup is accomplished in Slackware.

3.0. The Driver

First you need to make sure that the driver for your Ethernet card is available to the kernel. The easiest way to do this is to use a loadable kernel module. In /etc/rc.d/rc.modules uncomment the line that modprobes the module for your Ethernet card. I have a Netgear FA310TX, which uses the tulip module. Verify that the module is loaded by checking the output of the lsmod. In my case, lsmod shows
tulip 41248 1
3.1. Configuration

You need to configure your Ethernet settings. Edit /etc/rc.d/rc.inet1. In most cases you will simply uncomment the line for eth0 that says "USE_DHCP=yes". You can now bring your Ethernet card up by executing /etc/rc.d/rc.inet1 as root. The next time you boot this will be done for you automatically.

3.2. Test

Verify that your Ethernet card is set up by checking the output of /sbin/ifconfig. You should see eth0 with reasonable settings. You should be able to ping a host on the Internet. For example, "ping".

4. Wireless Setup

4.0. The Driver

You need to make sure that the driver for your wireless card is available to the kernel. Download the hostap driver from With the advent of hotplug, your WiFi card will automatically be detected as orinoco_pci. I was unable to get the orinoco drivers working for me (despite some web pages that said they should support the Prism chip sets.) If you are using the hotplug system, add orinoco_cs, orinoco_pci, and orinoco_plx to /etc/hotplug/blacklist to prevent loading these modules when the system boots.

NOTE: Originally I tried to use the linux-wlan_ng driver, but was not able to get that driver working properly with my card. Lack of documentation for the linux-wlan_ng driver did not help matters! Their hardware compatibility list at said that my Netgear MA311 was supported, but it never detected the settings properly.
You will need to have the GNU/Linux kernel source code on your system, so download the package from your distribution's web site and install it.

Uncompress and inflate the hostap source code using "tar -zxvf hostap-0.0.4.tar.gz". Change to the hostap source code directory and follow the instructions for compiling the source code and installing. You only need to compile the hostap_pci module.
After you have compiled and installed the hostap_pci module, add
/sbin/modprobe hostap_pci
to /etc/rc.d/rc.modules so that the hostap_pci driver is loaded when the computer boots.
Now, as root, execute the
/sbin/modprobe hostap_pci
command. Verify that the hostap_pci module is loaded using the lsmod command. Now, verify that the card is recognized by using the iwconfig command. You should see wlan0 listed in the output.

4.1. Configuration

You need to add some code to configure wlan0. The address I am using for wlan0 is I like to create a separate rc script for each network interface that I need to configure. I'll create a script called rc.wlan0, and call it from the appropriate location:

Slackware: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.inet1.

Debian: place rc.wlan0 in the /etc/rc.boot/ directory. This script will automatically be run at boot.

SuSe: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.boot.

Others: place rc.wlan0 in the /etc/rc.d/ directory, and make a call to it from /etc/rc.d/rc.local.

So, as root create a file called rc.wlan0 that contains the following:
   # rc.wlan0

   KEY="0123-4567-89AB-CDEF-0123-4567-89" # Change this to some random value

   # Determine broadcast and network addresses from the IP address and netmask:

   BROADCAST=`/bin/ipmask $NETMASK $IPADDR | cut -f 1 -d ' '`
   NETWORK=`/bin/ipmask $NETMASK $IPADDR | cut -f 2 -d ' '`

   # Set up the WiFi card

   echo "Configuring ${INTERFACE}:"
   /sbin/ifconfig ${INTERFACE} ${IPADDR} broadcast ${BROADCAST} netmask ${NETMASK}
   /usr/sbin/iwconfig ${INTERFACE} essid ${ESSID}
   /usr/sbin/iwconfig ${INTERFACE} channel ${CHANNEL}
   /usr/sbin/iwconfig ${INTERFACE} mode ${MODE}
   sleep 2
   /usr/sbin/iwconfig ${INTERFACE} key ${KEY}
You may have noticed the sleep command in rc.wlan0. Without giving the card a short nap, I could not set the key. Someone suggested that some of the Intersil firmwares are a bit buggy. You may need to adjust the number of seconds you sleep in order to get encryption working
NOTE: If your card uses 40/64 bit encryption you just use a shorter hexadecimal string for the key (e.g. 0123-4567-89).

NOTE: There is confusion about 40 bit versus 64 bit WEP, and 104 bit versus 128 bit WEP. The Wireless 802.11b FAQ found at explains it:
The original 802.11 specification defined a 40-bit key. This key is combined with a 24 bit quantity known as the "initialization vector" (which is created automatically by the wireless network hardware) and these 64 bits are used within the RC4 encryption in order to produce the encrypted data. Some vendors describe this as 64-bit encryption (since technically RC4 is using 64 bits), but others describe it as 40-bits (since the initialization vector is public unencrypted data so it does not contribute to the security of the system). Therefore 40-bit and 64-bit WEP keys are the same thing, just being described from different points of view. Most 802.11 hardware now supports a larger 104-bit key; this also has a 24-bit initialization vector and so it is also sometimes marketed as a 128-bit system.
One last comment on security. Even 104/128 bit WEP is not that great. You would do well to add additional layers of encryption by setting up a VPN, using ssh instead of telnet, etc. These things are beyond the scope of this document (for now), but there is a lot of info on the Net about doing this. The VPN HOWTO would probably be a good place to start.

Make sure that the file is executable using "chmod 755 rc.wlan0".
Edit the script that will call rc.wlan0 and add something similar to the following code:
   if [ -x /etc/rc.d/rc.wlan0 ]; then
Bring up the wlan0 interface by executing rc.wlan0 as root.

NOTE: the link light on the wireless PCI card will always blink. For some reason I expected it to go solid!

4.2 Test

Verify that the wlan0 interface is up by checking the output of /sbin/ifconfig. Also, verify that additional wlan0 settings (essid, mode, key, channel, etc...) are correct by checking the output of iwconfig.

5. Firewalling and Masquerading

5.0. Configuration

The last thing we need to do is use iptables to enable masquerading and firewalling, so that wireless clients can access the Internet. My firewall rules may or may not be exactly what you want. If you run an email or web server, then you will need to add additional rules to allow incoming connections for those services. I have a file called /etc/rc.d/rc.firewall. Slackware 9 calls this script from /etc/rc.d/rc.inet2. Your distribution may vary. Here's the script:

   # The syntax of iptables is basically:
   #    iptables [-t table] -ACDI CHAIN rule-specification -j TARGET [options]


   # Use a trusted PATH

   export PATH

   # Disable IP forwarding until the rules are in place.

   echo 0 > /proc/sys/net/ipv4/ip_forward

   # Install the necessary kernel modules.

   /sbin/modprobe ip_tables
   /sbin/modprobe ip_nat_ftp
   /sbin/modprobe ip_conntrack_ftp

   # Flush the tables and delete the non-builtin chains
   # to ensure that we are starting from scratch.

   for i in filter nat mangle
      $IPT --table $i --flush
      $IPT --table $i --delete-chain

   # Set up a user-defined chain called "rules" in the filter table that
   # prevents anyone from connecting to local computers from the outside, but
   # allows local computers to establish connections to the outside. We'll
   # specify that the INPUT and FORWARD chains use the rules defined in our
   # "rules" chain after we've established those rules.

   $IPT --table filter --new-chain rules

   # Accept traffic (and related traffic on different ports) coming in on
   # any interface if the traffic has been seen before in both directions.

   $IPT --table filter \
        --append rules \
        --match state \
        --state ESTABLISHED,RELATED \
        --jump ACCEPT

   # Accept new traffic coming in on any interface except eth0 (the
   # Internet interface).

   $IPT --table filter \
        --append rules \
        --in-interface ! eth0 \
        --match state \
        --state NEW \
        --jump ACCEPT

   # The catch-all rule: drop new or invalid traffic coming in on any
   # network interface.

   $IPT --table filter \
        --append rules \
        --match state \
        --state NEW,INVALID \
        --jump DROP

   # Use the rules defined in the "rules" chain for the INPUT and
   # FOREWARD chains.

   $IPT --table filter \
        --append INPUT \
        --jump rules

   $IPT --table filter \
        --append FORWARD \
        --jump rules

   # Make sure the default policy for the filter table's INPUT and
   # FORWARD chains is DROP rather than ACCEPT, in case we misconfigure
   # the firewall.

   $IPT --table filter \
        --policy INPUT DROP

   $IPT --table filter \
        --policy FORWARD DROP

   # Add masquerading to the POSTROUTING chain in the nat table.

   $IPT --table nat \
        --append POSTROUTING \
        --out-interface eth0 \
        --source \
        --destination 0/0 \
        --jump MASQUERADE

   # Enable IP forwarding

   echo 1 > /proc/sys/net/ipv4/ip_forward
Make the file executable with "chmod 755 /etc/rc.d/rc.firewall". Now, execute /etc/rc.d/rc.firewall. You should have a working wireless access point!

5.1. Test

Double check the output of lsmod. Here is my lsmod:
Module Size Used by Not tainted
hostap_crypt_wep 3020 1 (autoclean)
ipt_MASQUERADE 1272 2 (autoclean)
ipt_state 536 4 (autoclean)
iptable_mangle 2072 0 (autoclean) (unused)
iptable_filter 1644 1 (autoclean)
ip_conntrack_ftp 3888 1 (autoclean)
ip_nat_ftp 2928 0 (unused)
iptable_nat 14904 2 [ipt_MASQUERADE ip_nat_ftp]
ip_conntrack 18016 3 [ipt_MASQUERADE ipt_state ip_conntrack_ftp ip_nat_ftp iptable_nat]
ip_tables 11768 7 [ipt_MASQUERADE ipt_state iptable_mangle iptable_filter iptable_nat]
uhci 24560 0 (unused)
usbcore 58144 1 [uhci]
hostap_pci 33716 1
hostap 74372 0 [hostap_pci]
hostap_crypt 1360 0 [hostap_crypt_wep hostap]
tulip 41248 2
Double check the output of ifconfig. Here is my ifconfig:
eth0 Link encap:Ethernet HWaddr ??:??:??:??:??:??
inet addr:???.???.???.??? Bcast:???.???.???.255 Mask:
RX packets:112346 errors:0 dropped:0 overruns:0 frame:0
TX packets:121312 errors:1 dropped:0 overruns:1 carrier:0
collisions:5131 txqueuelen:100
RX bytes:19980541 (19.0 Mb) TX bytes:68587897 (65.4 Mb)
Interrupt:10 Base address:0x6400

lo Link encap:Local Loopback
inet addr: Mask:
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

wlan0 Link encap:Ethernet HWaddr ??:??:??:??:??:??
inet addr: Bcast: Mask:
RX packets:107421 errors:0 dropped:725 overruns:0 frame:0
TX packets:106212 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:53350539 (50.8 Mb) TX bytes:47579017 (45.3 Mb)
Interrupt:12 Memory:c6d9d000-c6d9e000
Double check the output of iwconfig. Here is my iwconfig:
lo no wireless extensions.

eth0 no wireless extensions.

wlan0 IEEE 802.11b ESSID:"bitbreather"
Mode:Master Frequency:2.412GHz Access Point: ??:??:??:??:??:??
Bit Rate:11Mb/s Sensitivity=1/3
Retry min limit:8 RTS thr:off Fragment thr:off
Encryption key:????-????-????-????-????-????-?? Encryption mode:restricted
Power Management:off
Link Quality:0 Signal level:0 Noise level:0
Rx invalid nwid:0 Rx invalid crypt:6 Rx invalid frag:1
Tx excessive retries:4 Invalid misc:676 Missed beacon:0
Set up a wireless host to use your new access point. You'll need to use the same settings on both the access point and the client, except that the client will need to be in Managed mode. The client will need an IP address from the same range (e.g. and a default gateway of

6. To Do

Set up DHCP to configure wireless clients automatically. Set up DNS so that my wireless clients have DNS entries. Set up VPN for additional security.

by theory on Tue, 2003-09-30 13:23
I used your document this weekend to setup an AP on my slackware 9 box. I commented out the encryption key so that I had an open system and was able to pick up the ESSID and connect to the AP. The problem was that I was not able to retrieve an IP address for my client system. I'll continue working on this to see if the problem is with my setup.

Few questions:

1: In your setup what range of IP Addresses are given out as DHCP addresses?

2: To change the broadcast IP range do you change the following in rc.wlan0 & rc.firewall?

# Original document had this: IPADDR=

# Add masquerading to the POSTROUTING chain in the nat table.
$IPT --table nat \
--append POSTROUTING \
--out-interface eth0 \

# here is the change ### = ### in IPADDR= in rc.wlan0
# old line was: --source \
--source 192.168.###.0/24 \
--destination 0/0 \

by eric.r.turner on Wed, 2003-12-17 21:04
Sorry for not responding... didn't realize that there was a post in the discussion.

Currently I don't have DHCP set up for my wireless network (that's why it's in the "to do" section.) If I were to set up DHCP my range of valid host IP addresses would be to That's because I use a 24 bit network mask, which leaves the last eight bits available to create unique host addresses. One of those addresses is considered the "network" address ( One of those addresses is taken by my Linux box ( and the other is taken by the broadcast address (

I'm not sure what you mean by changing your broadcast IP range. If you're using a 24 bit network mask then your broadcast address is If you're using a different number of bits for the network portion of your address then you'll need to change your broadcast address so that all non-network bits are set.

Maybe this example will help. I'll show the binary addresses with braces around the host portion of the addresses, then I'll show the dotted quad equivalence:

Let's say that you need addresses for more than 254 hosts (.1 throught .254), so you make your network mask 23 bits instead of 24 bits. That means you can use 9 bits to create 510 distinct host addresses instead of 8 bits to create 254 distinct host addresses.

Your network address (where the host portion is all zeros) in binary will be 11000000.10101000.0000001[0.00000000] which is in dotted quad notation. Your broadcast address (where the host portion is all ones) in binary will be 11000000.10101000.0000001[1.11111111] which is in dotted quad notation. The valid hosts are 11000000.10101000.0000001[0.00000001] which is to 11000000.10101000.0000001[1.11111110] which is

It's easier just to stick with a 24 bit network mask unless you really need more addresses than that. You should consult a good TCP/IP administration book. O'reilly has a pretty good one.

by zorba4 on Sat, 2004-02-21 13:35
I was interested by the need you mentionned, of adding a "modprobe" in rc.somewhere.
Maybe that's why my own adapter works when just manually installed, and not after reboot.

by LuggerHouse on Fri, 2004-06-04 13:04
Hey guys,
Nice document there !!! I might be tempted to by a WiFi card just to try it... My question is: did you ever thought of how many clients you can hook to this access point ?? I would be interested to, mayby use your technology to offer hotspoting in my area...

Tks for any replies!

by Atrocity on Thu, 2005-05-12 09:51
nice document, I added that file and executed it and my card is an access point that easy, then I had 3 other cards in that box so I fired them up and gave them the network key and they all have a connection to the First card

Current specs : 4 atheros Mini PCI cards running on slack 10.1 kernal 2.4
Running Madwifi drivers

Later on I am goign to try to fire up all of those cards as separate access points and see if I actually get an internet connection with them, it apears that I would but you never know since i am not sure if I have an ip address or not.

You said its not done with DHCP so would that mean I would have to assign each client an ip address in the 192.168.1.xx range in order to reach the internet?????????????????????????

My only problem is the calling code that I added to the rc.inet1 file it calls the rc.wlan0 file on boot but says that my interface is not found, then apears to be up when I iwconfig it but nothing can connect! Its easy enough to fix though I just took the code out of rc.inet1 and just manually did a ./rc.wlan0 and all is well, its not a big deal since I dont really need the access point to go up at boot automatically but if somone has a workaround would be helpfull to post it or an explanation of why it wouldnt find my card at boot but does just fine afterwards

by madwifimoody on Tue, 2006-01-10 17:11
went to netgear and did a product search for the MA311 and this is what i got Did You Mean: ma111

Your search did not match any documents.

* Make sure all words are spelled correctly.
* Try using fewer words.
* Try using more general keywords.
* Try different keywords or spellings.
is there another card that will work like the ma311 from netgear?

by stress_junkie on Tue, 2006-01-10 17:45

I went to and looked in their product finder on the first page. The product finder is just above the product search. I clicked on the button and found the ma111. Here is the page:

by eric.r.turner on Tue, 2006-01-10 23:52
No, that's not it. Look on Amazon .

I wrote the tutorial a couple of years ago, so I don't think that the card is in production anymore. Anything with a Prism chipset should work, I think.

by madwifimoody on Wed, 2006-01-11 05:02
thanks for replying so quikly do you know which linksys/netgear ect ect. adapters that currently have the prism chipsets in them the reason im asking is because im looking into setting up a community based free access network in my area id prefeer using linux to do it with rather than some off the shelf ap becuase linux offers so much more plus i can pick up PI and PII for less then $25 dollers in my area then add the cost of the card + material and the price is about the same as buying a crummy off the shelf product that doesent allow you to do half of what linux with a few add ons will do
i origonaly posted in the wireless networking section about this with no answers then found your tutorial i used to run slackware it was my first distro i installed and ran for about a year any ways thanks for the info keep up the good work

by eric.r.turner on Wed, 2006-01-11 11:57
Originally Posted by madwifimoody
do you know which linksys/netgear ect ect. adapters that currently have the prism chipsets in them
Best thing to do is take a look at the hostap website, and perhaps contact the author of the driver.


All times are GMT -5. The time now is 04:14 AM.

Main Menu

Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration