HostAP

I just reconfigured my LEAF Bering uClibc router to act as a wireless access point. Previously my wireless network was operating in ad-hoc mode, which caused some occasional headaches (someone nearby is using a Linksys WiFi router to which my clients occasionally connect. Nothing as bad as what DrBacchus experienced, though, thankfully). The Orinoco Gold card that I'd been using is not supported by HostAP, so I bought a used Microsoft MN-520 PCMCIA wireless adapter for $20. This card uses the Prism2 chipset which is supported by HostAP. (See this page for a rather comprehensive list if you're looking for one.)

... insert obligatory joke about using a Microsoft product to further my Free Software implementations ...

The whole thing was surprisingly easy to set. The only real challenge I experienced was that the LEAF hostap packages do not include the kernel modules necessary! A quick query to the leaf-user mailing list, and I had all the info that I needed. For posterity, here's what I needed to do.

Download and install the following LEAF packages:

Download the LEAF 2.4.26 kernel modules. Transfer the following modules to /lib/modules/pcmcia on the LEAF system: (I'm not sure, yet, if I need the hostapcrypt_* modules...) Define the wireless interface in /etc/network/interfaces:

Loopback interface.

auto lo iface lo inet loopback

Step 1: configure external interface

auto eth0 iface eth0 inet static address 66.93.81.185 netmask 255.255.255.0 gateway 66.93.81.1

Step 2: configure internal interface

Default: eth1 / fixed IP = 192.168.0.254

auto eth1 iface eth1 inet static address 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255

Step 3: configure WiFi

Default: wlan0 / fixed IP = 192.168.1.254

auto wlan0 -- PCMCIA brings this up

iface wlan0 inet static address 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf

Note: The PCMCIA system handles the process of bringing up the wlan0 interface. Once it's up, the system then launches the hostapd daemon.

Configure /hostapd/hostapd.conf:

interface=wlan0 debug=0 dumpfile=/tmp/hostapd.dump ssid=skippy macaddracl=0 denymacfile=/etc/hostapd/hostapd.deny ownipaddr=127.0.0.1
There are a lot more configuration items available; these are only a select few for documentation purposes.

Configure shorewall: /etc/shorewall/zones:

ZONE DISPLAY COMMENTS

net Net Internet loc Local Local networks wifi WLAN Wireless network

/etc/shorewall/interfaces:

ZONE INTERFACE BROADCAST OPTIONS

net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dhcp wifi wlan0 detect dhcp

/etc/shorewall/policy:

SOURCE DEST POLICY LOG LIMIT:BURST

LEVEL

loc wifi ACCEPT wifi loc ACCEPT wifi net REJECT

/etc/shorewall/masq:

INTERFACE SUBNET ADDRESS PROTO PORT(S)

eth0 eth1 eth0 wlan0

/etc/shorewall/rules:

WIRELESS RULES

ACCEPT wifi fw udp 53,67,68 ACCEPT wifi fw tcp 22,80

squid; allow outbound HTTP / HTTPS from the firewall

ACCEPT fw net tcp 80,443 ACCEPT wifi fw tcp 3128

secured skippy.net services

ACCEPT wifi net:66.93.81.236 tcp 25,443,993,995

Install and configure the LEAF squid.lrp package: /etc/squid/squid.conf:

httpport 3128 cachemem 2 MB maximumobjectsize 1024 KB minimumobjectsize 10 KB maximumobjectsizeinmemory 8 KB ipcachesize 500 ipcachelow 90 ipcachehigh 95 fqdncachesize 10 cachedir ufs /tmp/cache 5 8 32 cacheaccesslog /var/log/access.log cachelog /var/log/cache.log cachestorelog none pidfilename /var/run/squid.pid dnschildren 4 acl alloweddstdomains dstdomain "/etc/squid/okdomains" httpaccess allow alloweddstdomains httpaccess deny all icpaccess allow all cachemgr skippy@skippy.net visiblehostname firewall logfilerotate 3 appenddomain .skippy.net forwardedfor on
Again, there are tons more config options. I've tweaked my cache behavior since I'm using this as a policy tool rather than a performance enhancing caching tool. That, and this system is running on a 486 DX4/100 with 32 megs of RAM, 12 of which are allocated to the system in a RAM disk. And I'm currently only providing access to two wireless hosts (unless my neighbors want to access any of the following sites, which is okay by me...) /etc/squid/okdomains:

miscellaneous

.microsoft.com .windowsupdate.com .google.com .bbc.co.uk

kids sites

.skippy.net .upsoclose.com .everythinggirl.com .funbrain.com .nickjr.com .noggin.com .paulysplayhouse.com .scholastic.com .citycreator.com transfer.go.com .disney.com .disney.go.com .pbskids.org .care-bears.com .iknowthat.com .hhmi.org .sanrio.com

Configure dnsmasq to provide DHCP addresses to wireless hosts: /etc/dnsmasq.conf:

dhcp-range=wifi,192.168.1.1,192.168.1.20,72h

BACK UP EVERYTHING.

Done. I hope this helps someone else save a little bit of time and effort.

published


home / about / flickr / github / keybase / linkedin