I just reconfigured my LEAF Bering uClibc router to act as a wireless access point. Previously my wireless network was operating in ad-hoc mode, which caused some occasional headaches (someone nearby is using a Linksys WiFi router to which my clients occasionally connect. Nothing as bad as what DrBacchus experienced, though, thankfully). The Orinoco Gold card that I'd been using is not supported by HostAP, so I bought a used Microsoft MN-520 PCMCIA wireless adapter for $20. This card uses the Prism2 chipset which is supported by HostAP. (See this page for a rather comprehensive list if you're looking for one.)

... insert obligatory joke about using a Microsoft product to further my Free Software implementations ...

The whole thing was surprisingly easy to set. The only real challenge I experienced was that the LEAF hostap packages do not include the kernel modules necessary! A quick query to the leaf-user mailing list, and I had all the info that I needed. For posterity, here's what I needed to do.

Download and install the following LEAF packages:

Download the LEAF 2.4.26 kernel modules. Transfer the following modules to /lib/modules/pcmcia on the LEAF system: (I'm not sure, yet, if I need the hostapcrypt_* modules...) Define the wireless interface in /etc/network/interfaces:

Loopback interface.

auto lo iface lo inet loopback

Step 1: configure external interface

auto eth0 iface eth0 inet static address netmask gateway

Step 2: configure internal interface

Default: eth1 / fixed IP =

auto eth1 iface eth1 inet static address netmask broadcast

Step 3: configure WiFi

Default: wlan0 / fixed IP =

auto wlan0 -- PCMCIA brings this up

iface wlan0 inet static address netmask broadcast up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf

Note: The PCMCIA system handles the process of bringing up the wlan0 interface. Once it's up, the system then launches the hostapd daemon.

Configure /hostapd/hostapd.conf:

interface=wlan0 debug=0 dumpfile=/tmp/hostapd.dump ssid=skippy macaddracl=0 denymacfile=/etc/hostapd/hostapd.deny ownipaddr=
There are a lot more configuration items available; these are only a select few for documentation purposes.

Configure shorewall: /etc/shorewall/zones:


net Net Internet loc Local Local networks wifi WLAN Wireless network



net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dhcp wifi wlan0 detect dhcp




loc wifi ACCEPT wifi loc ACCEPT wifi net REJECT



eth0 eth1 eth0 wlan0



ACCEPT wifi fw udp 53,67,68 ACCEPT wifi fw tcp 22,80

squid; allow outbound HTTP / HTTPS from the firewall

ACCEPT fw net tcp 80,443 ACCEPT wifi fw tcp 3128

secured services

ACCEPT wifi net: tcp 25,443,993,995

Install and configure the LEAF squid.lrp package: /etc/squid/squid.conf:

httpport 3128 cachemem 2 MB maximumobjectsize 1024 KB minimumobjectsize 10 KB maximumobjectsizeinmemory 8 KB ipcachesize 500 ipcachelow 90 ipcachehigh 95 fqdncachesize 10 cachedir ufs /tmp/cache 5 8 32 cacheaccesslog /var/log/access.log cachelog /var/log/cache.log cachestorelog none pidfilename /var/run/ dnschildren 4 acl alloweddstdomains dstdomain "/etc/squid/okdomains" httpaccess allow alloweddstdomains httpaccess deny all icpaccess allow all cachemgr visiblehostname firewall logfilerotate 3 appenddomain forwardedfor on
Again, there are tons more config options. I've tweaked my cache behavior since I'm using this as a policy tool rather than a performance enhancing caching tool. That, and this system is running on a 486 DX4/100 with 32 megs of RAM, 12 of which are allocated to the system in a RAM disk. And I'm currently only providing access to two wireless hosts (unless my neighbors want to access any of the following sites, which is okay by me...) /etc/squid/okdomains:


kids sites

Configure dnsmasq to provide DHCP addresses to wireless hosts: /etc/dnsmasq.conf:



Done. I hope this helps someone else save a little bit of time and effort.


home / about / flickr / github / keybase / linkedin