Hello,

I'm looking to set up a linux box as a wireless router. There are some web pages out there about it, but they seem to be too outdated and vague to be useful. I have Suse Pro 9.1 on right now, but I'll put another distro on if it's known to work for this purpose. What steps do I need to take to set it up?

See if this is a good start: http://www.publicip.net

Thanks a lot, I was looking for the same thing )

The PublicIP site requires you have an existing router.

Anyway, from what I have learned so far, one should be able to run a router by setting your wireless driver to have a static IP (such as 192.168.1.1), put it in Master mode, and launching "routed", which, with some simple setup, should automatically route traffic from the wireless card to the lan/internet. Other computers should be set with static IPs, such as 192.168.1.100.

However, if one wants to do this with least hassles, Orinco cards are where it is at. Unfortunately, I have the acx-111 chipset running with acx-100 driver, which doesn't support Master mode at this time (its on the to-do list).

I would like to create a similar setup myself. I have a netgear router but it really pisses me off. If I am running p2p software and too many connections are formed, it crashes the router. I have tried upgrading the firmware but it doesn't help. Also, I would like to start using a vpn instead of wep. So now for my questions. First, if I have a desktop running linux with a wireless card installed and running in master mode, how many wireless clients would be able to connect at one time and what kind of speeds can I expect to get? Also, if a large number of connections are opened to one address(my p2p situation) will that cause problems? I'm just wondering if creating my own router would work any better than my current situation. Thanks in advance for any help.

I got it to work!

I got HostAP configured, set up essid, security, etc with iwconfig, and then ran Mandrake 10.1's "Share Internet Connection" tool - its in the Configure Computer controls or something like that. It has to be reconfigured after every reboot, but it doesn't take long if you whip up a script.

As far as getting something going on other distros, I don't know, but I do know it involves setting up the dhcpd and Squid.

I've been wanting to do the same thing. Have been looking at HOWTO's but only got a vague and ambiguous understanding of the configging.

I basically got an old 486 which has 2 nics and an extra PCI slot. I was planning on installing the D-Link AirPlus DWL-520+ Wireless NIC (PCI) in that to use as a wireless router ( I can get one cheap). I thought about installing ipcop, but ipcop has no native support for wireless cards, only for WAPs connected to NIC's (too expensive for me, I'm afraid). So I have to go with mainstream Mandrake or Debian (whichever can get the D-Link to work with the acx100 driver). I need to be guided as to the following config params

1. Need MAC address cloning/filtering in my router (NO IDEA how to do this)

2. Need to enable wep (that should work in /etc/pcmcia/<card config file>, right?

3. Need to prevent ESSID broadcast (same config file as above, right?).

4. Maybe use vpn tunnelling (will that throttle the bandwidth, and is the security it worth the trouble. I mean, if I use wireless to login to my bank account, which uses SSL for authentication, won't that be encrypted over wireless regardless?)

5. Configure NAT (routed, right?) and use firewall rules like iptables or ,preferably shorewall that can allow port forwarding for p2p etc (this should be fairly straightforward after I have done all of the above steps).

I would really appreciate some advice on this matter. If I succeed with help, I'll write a detailed and up-to-date HOWTO on how we got it all to work and post it on the web (promise).

MAC addresses are sent unencrypted in 802.11 packets whether you use WEP or not, and so are easily sniffed. They are also easily spoofed.

SSID is always broadcast in response to a probe request, whether the beacon is enabled or not (commonly called SSID broadcast disable by the marketers). The probe will occur whenever your laptop tries to associate or it can be initiated by a malicious user. Whether or not the SSID broadcast is "disabled," the wireless will be visible to tools such as Kismet.

I can't help much with the iptables part, but I wouldn't waste a lot of time trying to get the MAC filtering and SSID broadcast configured. Use WPA if your client hardware and drivers support it.

I found a more generic way to set up my linux wireless router, after I moved over to Ubuntu...

Set up your wireless card how you want it, hostap/master mode is optional. I believe most distros have boot-time network configuration stored in /etc/network/interfaces (if not, consult your docs). Say if your card is wlan0, you would put:

#------
iface wlan0 inet static
name MyWirelessCard
address 192.168.0.1
netmask 255.255.255.0
broadcast 192.168.0.255
network 192.168.0.0
wireless_essid mywireless
wireless_key s:foobarsky1234 #s: is for string, use 5 or 13 characters
wireless_mode ad-hoc # use master instead of ad-hoc if you have hostap
wireless_channel 6
#-------

Sometimes I see different examples using an underscore "_" to seperate the wireless and the operator, and others with a dash "-". The underscores worked for me, but if it doesn't for you try the dashes. For example, line 7 would be "wireless-essid mywireless;".

Now, optionaly you set up DHCP. I use the dhcp3 debian package, and my dhcpd.conf is setup like this:

#-------
ddns-update-style none;
subnet 192.168.0.0 netmask 255.255.255.0 {
range 192.168.0.100 192.168.0.200;
option domain-name servers 400.3.2.1 500.6.7.8;
option domain-name "mycomp.mydslam.myisp.com";
option routers 192.168.0.1;
option broadcast-address 192.168.0.255;
default-lease-time 7200;
max-lease-time 7200;
}
#-------

You must replace the bogus domain name servers and domain name I gave with the ones listed in your /etc/resolv.conf. This config will set up DHCP the give addresses from 192.168.0.100 to 192.168.0.200, so theoretically 100 or so computers can connect to your wireless. Should be enough.


Now, permanately deativate any other firewall software you have, and then install Firestarter. This is simply a "apt-get install firestarter" if you're running debian/ubuntu/etc. If your distro doesn't have a prepackaged version, see http://firestarter.sourceforge.net for install package and instructions.

Now run (as root) /usr/sbin/firestarter. You'll either need to log in as root or use a X.org-aware sudo, such as "sux" or "gksudo".

Configure the firewall how you like...but when you go to Network Settings, select the proper "Internet connected network device" like eth0 or ppp0, and then the proper "Local network connected device" like wlan0. Then, check "Enable Internet connection sharing". Do not check "Enable DHCP for the local network". If you do check it, Firestarter will overwrite your dhcpd.conf, probably breaking your setup, and producing wierd errors on startup. If you couldn't get dhcp to work, you could safely try this however...

Click apply, and you should be immediately be able to connect to the internet with your wireless computers. If not, make sure your dhcp service started correctly. For me, the Internet connection was flaky and cut out occasionally, but got better with time, so your results may vary at first.

Thanks for ur instructions. I'll follow them to the letter.

My question is, what is the security situation with ur configuration?

I live at a tech school, in a dorm building with 300 other students, most with laptops, and nobody has haxed my WEP yet, or at least used it to connect with my internet. There could still be packet sniffing going on, but I just ssh in if I need to do something secure and I'm too lazy to get up and walk to my box.

Is it okay if I use webmin (using https:// login & generating an ssl cert and all that)? Will that be as safe as ssh?

Sure, that'll work too. You'll need to add a Firestarter policy to open up port 10000, though. (Same with SSH and port 22)

If your setup is fairly high-profile, or mission-critical, just make sure to keep up with your security updates.