HostAP

published 2005-01-07

I just reconfigured my LEAF Bering uClibc router to act as a wireless access point. Previously my wireless network was operating in ad-hoc mode, which caused some occasional headaches (someone nearby is using a Linksys WiFi router to which my clients occasionally connect. Nothing as bad as what DrBacchus experienced, though, thankfully). The Orinoco Gold card that I’d been using is not supported by HostAP, so I bought a used Microsoft MN-520 PCMCIA wireless adapter for $20. This card uses the Prism2 chipset which is supported by HostAP. (See this page for a rather comprehensive list if you’re looking for one.)

… insert obligatory joke about using a Microsoft product to further my Free Software implementations …

The whole thing was surprisingly easy to set. The only real challenge I experienced was that the LEAF hostap packages do not include the kernel modules necessary! A quick query to the leaf-user mailing list, and I had all the info that I needed. For posterity, here’s what I needed to do.

Download and install the following LEAF packages:

pcmcia
pcmod
libm
wireless
hostapd
hostapu

Download the LEAF 2.4.26 kernel modules. Transfer the following modules to /lib/modules/pcmcia on the LEAF system:

net/hostap.o
pcmcia/hostap_cs.o

(I'm not sure, yet, if I need the hostap_crypt_* modules...) Define the wireless interface in /etc/network/interfaces:

# Loopback interface. auto lo iface lo inet loopback
Step 1: configure external interface

auto eth0
iface eth0 inet static
address 66.93.81.185
netmask 255.255.255.0
gateway 66.93.81.1

Step 2: configure internal interface

Default: eth1 / fixed IP = 192.168.0.254

auto eth1
iface eth1 inet static
address 192.168.0.254
netmask 255.255.255.0
broadcast 192.168.0.255

Step 3: configure WiFi

Default: wlan0 / fixed IP = 192.168.1.254

#auto wlan0 – PCMCIA brings this up
iface wlan0 inet static
address 192.168.1.254
netmask 255.255.255.0
broadcast 192.168.1.255
up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf

Note: The PCMCIA system handles the process of bringing up the wlan0 interface. Once it's up, the system then launches the hostapd daemon.

Configure /hostapd/hostapd.conf:

interface=wlan0 debug=0 dump_file=/tmp/hostapd.dump ssid=skippy macaddr_acl=0 deny_mac_file=/etc/hostapd/hostapd.deny own_ip_addr=127.0.0.1

There are a lot more configuration items available; these are only a select few for documentation purposes.

Configure shorewall:
/etc/shorewall/zones:

#ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks wifi WLAN Wireless network

/etc/shorewall/interfaces:

#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dhcp wifi wlan0 detect dhcp

/etc/shorewall/policy:

#SOURCE DEST POLICY LOG LIMIT:BURST # LEVEL loc wifi ACCEPT wifi loc ACCEPT wifi net REJECT

/etc/shorewall/masq:

#INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 eth1 eth0 wlan0

/etc/shorewall/rules:

# WIRELESS RULES ACCEPT wifi fw udp 53,67,68 ACCEPT wifi fw tcp 22,80 # squid; allow outbound HTTP / HTTPS from the firewall ACCEPT fw net tcp 80,443 ACCEPT wifi fw tcp 3128 # secured skippy.net services ACCEPT wifi net:66.93.81.236 tcp 25,443,993,995

Install and configure the LEAF squid.lrp package:
/etc/squid/squid.conf:

http_port 3128 cache_mem 2 MB maximum_object_size 1024 KB minimum_object_size 10 KB maximum_object_size_in_memory 8 KB ipcache_size 500 ipcache_low 90 ipcache_high 95 fqdncache_size 10 cache_dir ufs /tmp/cache 5 8 32 cache_access_log /var/log/access.log cache_log /var/log/cache.log cache_store_log none pid_filename /var/run/squid.pid dns_children 4 acl allowed_dstdomains dstdomain "/etc/squid/ok_domains" http_access allow allowed_dstdomains http_access deny all icp_access allow all cache_mgr skippy@skippy.net visible_hostname firewall logfile_rotate 3 append_domain .skippy.net forwarded_for on

Again, there are tons more config options. I've tweaked my cache behavior since I'm using this as a policy tool rather than a performance enhancing caching tool. That, and this system is running on a 486 DX4/100 with 32 megs of RAM, 12 of which are allocated to the system in a RAM disk. And I'm currently only providing access to two wireless hosts (unless my neighbors want to access any of the following sites, which is okay by me...) /etc/squid/ok_domains:

# miscellaneous .microsoft.com .windowsupdate.com .google.com .bbc.co.uk
kids sites

.skippy.net
.upsoclose.com
.everythinggirl.com
.funbrain.com
.nickjr.com
.noggin.com
.paulysplayhouse.com
.scholastic.com
.citycreator.com
transfer.go.com
.disney.com
.disney.go.com
.pbskids.org
.care-bears.com
.iknowthat.com
.hhmi.org
.sanrio.com

Configure dnsmasq to provide DHCP addresses to wireless hosts:
/etc/dnsmasq.conf:

dhcp-range=wifi,192.168.1.1,192.168.1.20,72h

BACK UP EVERYTHING.

Done. I hope this helps someone else save a little bit of time and effort.