Build A Linux-Based Wireless Access Point (Part 2)
February 01, 2005
Last week we took a look at the best parts for assembling a Linux-based WAP. This week we take you through configuration on both Debian- and Red Hat-based distributions.
In Part 1 we looked at some of the great hardware choices for building a custom Linux-based wireless access point, including mini-ITX and embedded systems. Today we'll learn how to convert an ordinary old PC into a powerful, customizable access point.
Wireless Adapter And Antenna
Our ordinary old PC is a Pentium 233 with 64 megabytes RAM, a six gigabyte hard drive, CDROM, floppy drive, two serial ports, a 10/100 PCI Ethernet adapter, and sound and video. The sound card is unnecessary, but it's not bothering anyone. I like leaving the video card in even though the machine will run headless; it's useful to be able to hook up a monitor for troubleshooting. This particular access point will connect wireless clients to a wired LAN.
Wireless service is provided by a Senao 2511 CD Plus Ext2 PCMCIA card on a PCI adapter. This is the most powerful, reliable, and best-supported wireless adapter you'll find for Linux. True, it's only 802.11b, but it is rock-solid and well-supported. The antenna is a 2.4 GHz 8 dBi fiberglass omnidirectional. The antenna makes a huge difference in the quality of the signal; for more information on choosing one see "Antennas: The Key to Maximizing RF Coverage."
The antenna must use the same frequency as the radio card; in this case, 2.4 GHz. Note also that a lot of cordless phones use this same frequency, and will interfere with wireless networking. (See Dueling with Cordless Phones.) In a nutshell, don't use phones that are on the same frequency as your wireless network.
Install your favorite Linux, the newer the better. Be sure to install any "laptop" and "pcmcia" package groups. Verify that you have the following utilities installed. If you don't they are readily available from the usual sources:
The SSID (service set identifier) of the example access point is Northpasture, because that is the view out my window. SSIDs can be up to 32 characters and are case-sensitive.
Debian provides several ways to configure wireless adapters. The simplest is to use /etc/network/interfaces. Add this entry, using your own network addresses and ESSID:
iface eth1 inet static
You can put any iwconfig command in this file, in the format wireless_[command] [value], except nick.
Red Hat Configuration
On Red Hat, Fedora, Mandrake, White Box Linux, and all the other Red Hat clones and offshoots, edit /etc/sysconfig/network-scripts/ifcfg-eth1:
Restart networking or reboot. Now you should be able to connect from a wireless client. A quick and easy test is to configure the client with a static IP, set the ESSID to be the same as the access point, and put it in MANAGED mode. You should be able ping from both machines.
The Senao 2511 only supports WEP (wireless equivalent privacy) in Linux. WEP is regarded as feeble, but it's better than nothing. A much stronger solution is to tunnel all wireless traffic using OpenVPN, which will be covered in a future article. (Don't wait for me -- OpenVPN is fairly simple to use, yet sophisticated and secure.)
All you need to do is cobble up a 104-bit hexadecimal key, then share this key with the access point and all clients. Use dd and xxd to generate a reasonably randomized number:
$ dd if=/dev/random bs=1 count=13 2>/dev/null |xxd -ps
On Debian, copy the key into /etc/network/interfaces:
On Red Hat et al, copy the key into /etc/sysconfig/networking/devices/keys-eth1:
You are limited by the weakest level of WEP support, so if you have any clients that support only 64-bit, that's what you'll have to use. Adding to the fun is sometimes 64-bit really means 40-bit; see "Making the Most from WEP" to help make sense of it all. Most security howtos recommend that you change the key weekly. This is a great way to use up all that free time you've been burdened with, because it must be done manually on every PC. The assumption is that a determined cracker is intercepting your transmissions and running a cracking tool against your keys. It could happen, better to be careful.
Once you have verified that everything works, it's time to move on to the next step, which paradoxically undoes much of what you just did.
Building A Bridge
The next step is to set up bridging between the wireless adapter and the wired Ethernet adapter. Bridging must be supported in the kernel, and most likely it isn't on a stock Debian installation. It should be present on Red Hat and Fedora and the rest of the Red Hat gang. Look in the /boot/config file for CONFIG_BRIDGE=m or =y. If it isn't, you'll have to build a new kernel. When you are configuring the new kernel look for Device Drivers -> Networking Support -> Networking Options -> 802.1d Ethernet Bridging.
You should also install the kernel-unsupported package on Red Hat-ish systems, and make sure it matches your kernel version (uname -r). This contains the bridge.o module, which may be needed by bridge-utils. If you get the "br_add_bridge: Package not installed" error message when you try to set up the bridge, kernel-unsupported will fix it.
Once all that is squared away, run these commands to set up the bridge:
# ifconfig eth0 0.0.0.0 down
# ifconfig eth1 0.0.0.0 down
# brctl addbr br0
# brctl addif br0 eth0
# brctl addif br0 eth1
# brctl stp br0 off
# ifconfig br0 192.168.1.5
# ifconfig eth0 up
# ifconfig eth1 up
This may look mysterious, but it's not so bad: first the two NICs must be shut down and their IP addresses removed. Then the bridge is created at br0, the two interfaces are added to the bridge, and the bridge is started with an IP address of 192.168.1.5. "brctl stp br0 off" turns off the Spanning Tree protocol, which is not needed when there is only a single bridge.
To view your bridge configuration:
# brctl show
You don't have to use bridging; you may use routing instead, or indeed any type of exotic networking you wish.
You now have a real-live wireless access point, and wireless clients should be able to access the wired LAN. Stay tuned for future installments on adding heavier-duty security and access controls, roaming, and network monitoring with Kismet.
What About wlan0
When you see documentation that refers to wireless adapters as something like wlan0 instead of eth0, that means they are using the Linux WLAN tools. WLAN is older than Wireless-tools and not as featureful; better to use Wireless-tools if you can.