Nowadays many people prefer wireless home networks to traditional wired ethernet networks. There are many dedicated wireless accesspoints on the market, which can be used to create home networks and to share internet connections. Many of these AP's also have built-in ethernet ports for computers that don't have wireless connectivity. The AP is usually connected to a cable or ADSL modem, which allows AP to route packets to the internet. If you just want to be able to access the internet from several computer at once, or to build a simple home LAN, then the easiest solution is to buy a dedicated wireless accesspoint.
Even though for most people a dedicated wlan AP is more than enough, they have their problems. First of all they cost more than a typical PCI wlan card. Many (inexpensive) AP's also periodically stop working and refuse to work until they are rebooted. This kind of behavior is annoying at best, and unacceptable at worst. In addition, only few dedicated AP's have such a fine-grained control over network traffic as is possible with a true Linux computer. Luckily configuring a Linux computer to work as wireless AP is not that hard if you are already profient with Linux and/or if you are willing to learn some new tricks.
I did quite a bit of research to find out which wlan card would be suitable for use as an AP. Even though many network cards do support AP (master) mode, they might not have Linux drivers, or the Linux drivers do not support master mode. After some research I bought a wlan card based on Atheros chipset. The drivers can be found from http://madwifi.org. So far I have not encountered any problems with my wlan card.
Even though a laptop can be used as an AP, cardbus cards have small antennas which limit their effective range. PCI wlan adapters have much bigger antennas and thus should provide a longer range. The computer you use as the Access point does not have to be especially modern or powerful. I suppose pretty much any PCI capable computer should have what it takes.
Wireless-tools is used to configure standard 802.11b/g wireless interfaces. Unfortunately for Sarge users the "wireless-tools" package in the Debian repository is outdated. Easiest way to fix this problem is to build the wireless tools from source. The tarball can be found from http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html.
After unpacking the tarball, check the INSTALL file for any missing dependencies. Then just run "make" and "make install". As long as you have a working build enviroment you should not have any problems - at least I did not. Also remember to uninstall the "wireless-tools" -package with "apt-get" or "aptitude"; having an old version lying around is not a good idea.
After installing wireless tools it's time to get drivers for the Atheros wlan adapter from http://madwifi.org/. Unless you want to play with CVS, you'll probably just want to download a CVS snapshot from http://snapshots.madwifi.org/. The tarball you most likely want is madwifi-ng-current.tar.gz. Grab it, extract it and follow the instructions in the INSTALL file. If all dependencies are already met, you can probably just do a "make;make install".
By default the main atheros module (ath_pci) does not set the wlan adapter into access point mode. To fix this, I created a file /etc/modutils/atheros, which tells the kernel to load the module with correct parameters. After creating this file program "update-modules" has to be run to actually update /etc/modules.conf. The next time the module is loaded the wlan card will act as an access point.
# /etc/modutils/atheros # This tells the kernel with which parameters the module should be loaded options ath_pci autocreate=ap
NOTE: Debian Sarge seems to have an annoying habit to load modules with default parameters at boot time, no matter what you do. The only way to "fix" this is to unload the "ath_pci" -module after it has loaded (with default values), and reload it with correct parameters. I've done all of this in a custom startup script which has to be loaded before the interface ath0 is brought up.
# /etc/init.d/custom_startup_script echo "Setting up Atheros wlan card" # First we will have to unload the "ath_pci" module which Debian # insists on loading with incorrect parameters during boot time modprobe -r ath_pci # If you have modified the module load parameters as shown above, # you should not need to pass any module parameters. I have the # module parameters here also, "just to be sure" modprobe ath_pci autocreate=ap
It is possible that there is a cleaner way of doing this: if you find one then please tell me also :).
When you are setting up a wireless network interface it is probably easiest to modify /etc/network/interfaces manually. If you have already configured your external network interface (the one connected to the internet), then you will just have to add you wlan interface there.
# See "man interfaces" if you need more information
# This one is a typical configuration for an external,
# automatically configured interface
iface eth0 inet dhcp
hostname localhost
# Here you set up your wlan card. The "pre-up" script executes all
# commands specific to wireless card settings.
iface ath0 inet static
pre-up /etc/init.d/atheros_set
address 192.168.30.1
netmask 255.255.255.0
broadcast 192.168.30.255
An here is the pre-up script /etc/init.d/atheros_set:
# Set your essid here iwconfig ath0 essid your_essid_here # Set the wlan card to "master" (access point) mode iwconfig ath0 mode Master # Select the channel to use iwconfig ath0 channel 3 # Set the WEP key (I use WEP because my laptop's adapter's drivers # do not support WPA. It's nevertheless better than nothing. Change # the key to something else, however. iwconfig ath0 key 72d1-18a3-7a3b-0914 # Set the rate used (see section 4. Configuring the clients for more # information on this) iwconfig ath0 rate 11M
After you have configured the interface, just issue a "ifup ath0" to get the interface running. After that you'll have to configure a dhcp server or create static routes from your client(s) to your wlan adapter.
Installing the dhcp server is quite straightforward. You can use "apt-get install dhcpd" or "aptitude install dhcpd". After that you will have to configure the server, which can be a bit confusing at first. See "man dhcpd.conf" for more details. You can use my config below for reference.
# Sample /etc/dhcpd.conf file
deny unknown-clients;
deny bootp;
authoritative;
default-lease-time 86400;
max-lease-time 86400;
# Add your ISP's DNS servers and your domain name here
option domain-name-servers 125.80.100.1 125.80.10.2;
option domain-name "your.domain.here";
subnet 192.168.30.0 netmask 255.255.255.0 {
# Set this to the IP address of your AP's Wlan adapter
option routers 192.168.30.1;
# Set this to your AP's subnet's subnet mask
option subnet-mask 255.255.255.0;
# Add an entry for every client you want to have a static IP
# Note that the hardware address can be easily faked, so this
# is not really a secure way of preventing unknown machines to
# connect to your AP.
#
# You can also specify a range of IP addresses to use so
# that dhcpd will serve addresses to unknown addresses also:
# see "man dhcpd.conf" for more details
host your_client_name {
hardware ethernet 00:02:A1:B2:D8:15;
fixed-address 192.168.30.101;
}
}
# You will have to add an entry for your Internet provider's
# subnet also. Make sure that you DO NOT ADD this external
# interface to /etc/default/dhcp. See below for more info.
subnet 125.80.0.0 netmask 255.255.0.0 {
deny unknown-clients;
not authoritative;
}
When you have written a working configuration file for "dhcpd", you must modify /etc/default/dhcp: simply specify all the interfaces you want to have your dhcp server listening on. If you are using an Atheros based wlan card then you will probably want something like this:
# /etc/default/dhcp # On what interfaces should the DHCP server (dhcpd) serve DHCP requests? # Separate multiple interfaces with spaces, e.g. "eth0 eth1". INTERFACES="ath0"
YOU SHOULD NOT ADD YOUR EXTERNAL INTERFACE HERE! Your ISP will probably close your internet connection if you do so. The reason is that as your computer's external interface will start serving addresses to your ISP's subnet, thus overriding several requests destined to ISP's own dhcp server. This in turn will cause serious network problems which are easily traced back to your computer.
You have to install Linux packet filter, "iptables", in order to be able to use your computer as a gateway to the Internet. Try "whereis iptables" to see if it installed. In almost all distributions iptables is installed automatically. Iptables is a packet filter, which means that it drop, reject, accept and forward incoming and outgoing IP packets. It can also be used to manipulate various packet attributes. When one wants to configure iptables to do IP masquerading, it must be configured to forward packets from the LAN interface to the Internet.
There are some GUI programs that can be used to configure iptables (and even dhcpd) easily to do IP masquerading. If you have only two network interfaces, then it is probably easiest to install "firestarter". It is quite easy-to-use firewall (iptables) configuration program, and it can also be configured to start a dhcp server automatically. You could also take a look at "guarddog", which is another GUI for iptables configuration. Make sure that you read through the manual: it's not quite as easy to use as "firestarter".
In case you have more than two network interfaces, then you should definitely take a look at "fwbuilder". It makes building of complicated firewalls easier than with plain "iptables". The same project files can be used to compile firewalls not only for Linux, but also various *BSD packet filters. It does require a certain level of understanding of how networks work, but on the other hand it's user interface is very easy to use. The user guide is pretty good and helps you to get started. After configuring IP masquerading and your firewall with "fwbuilder" you have probably learned a lot, if nothing else ;).
The configuration of the wlan client is pretty straightforward, once you've done the server configuration. If you configured the dhcp server to serve addresses dynamically then you will only have to use the correct WEP key. If you - like me - chose to serve IP addresses based on MAC addresses, then you might also want to bind your client's wlan adapter to this specific accesspoint.
# /etc/network/interfaces # eth0: built-in ethernet adapter iface eth0 inet dhcp # Setup the firewall after the interface is brought up post-up /etc/M700-single.fw # eth1: wlan adapter iface eth1 inet dhcp # Run iwconfig before ifup pre-up /etc/init.d/ralink_set # My laptop has a built-in ethernet adapter and an external cardbus # card(rt2400 chipset) for wlan connections. This is why I have # chose to use two different firewall scripts - one for eth0 only # and another one for eth0 and eth1 # Reconfigure firewall after interface has been created post-up /etc/M700-dual.fw # Reconfigure firewall after interface goes down post-down /etc/M700-single.fw
The pre-up script set parameters specific to wireless networks:
# /etc/init.d/ralink_set iwconfig eth1 channel 3 iwconfig eth1 essid your_essid_here iwconfig eth1 ap 00:1A:D4:2F:1A:28 iwconfig eth1 key 72d1-18a3-7a3b-0914 iwconfig eth1 rate 11M
UPDATE: I had not turned off my laptop for 62 days (I usually just hibernate it) after I had written this article. Then, for some reason the wireless connection just stopped functioning one day. After a short but bitter struggle I found out that I had to explicitly specificy the rate that the wlan adapter uses. I recommend setting the rate both on client and server.
Just make sure that the key matches and the access point's MAC address is correct. If you want to be able to connect to other access points as well, remove the "iwconfig eth ap..." line. As with the server, just bring up the wireless interface with "ifup eth1" (or whatever your interface name is).
NOTE: The WEP encryption used in my examples is easily cracked, so sensitive data should not be sent wirelessly. I would not use NFS or similar network file serving system on a WEP encrypted (or open) wireless network. Due to WEP insecurity I share my servers (or AP's) data and resources in a secure way via sshfs. Another possibility is to use IPSec to secure the wireless transmissions. See my article Securing insecure wireless home network with IPSec for more information Sending plain text passwords over wireless lan is an especially bad idea, so don't do it.
