I just reconfigured my LEAF Bering uClibc router to act as a wireless access point. Previously my wireless network was operating in ad-hoc mode, which caused some occasional headaches (someone nearby is using a Linksys WiFi router to which my clients occasionally connect. Nothing as bad as what DrBacchus experienced, though, thankfully). The Orinoco Gold card that I’d been using is not supported by HostAP, so I bought a used Microsoft MN-520 PCMCIA wireless adapter for $20. This card uses the Prism2 chipset which is supported by HostAP. (See this page for a rather comprehensive list if you’re looking for one.)
… insert obligatory joke about using a Microsoft product to further my Free Software implementations …
The whole thing was surprisingly easy to set. The only real challenge I experienced was that the LEAF hostap packages do not include the kernel modules necessary! A quick query to the leaf-user mailing list, and I had all the info that I needed. For posterity, here’s what I needed to do.
Download and install the following LEAF packages:
Note: The PCMCIA system handles the process of bringing up the wlan0 interface. Once it’s up, the system then launches the hostapd daemon.
auto lo iface lo inet loopback
Step 1: configure external interface
auto eth0 iface eth0 inet static address 220.127.116.11 netmask 255.255.255.0 gateway 18.104.22.168
Step 2: configure internal interface
Default: eth1 / fixed IP = 192.168.0.254
auto eth1 iface eth1 inet static address 192.168.0.254 netmask 255.255.255.0 broadcast 192.168.0.255
Step 3: configure WiFi
Default: wlan0 / fixed IP = 192.168.1.254
#auto wlan0 – PCMCIA brings this up iface wlan0 inet static address 192.168.1.254 netmask 255.255.255.0 broadcast 192.168.1.255 up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
interface=wlan0 debug=0 dump_file=/tmp/hostapd.dump ssid=skippy macaddr_acl=0 deny_mac_file=/etc/hostapd/hostapd.deny own_ip_addr=127.0.0.1There are a lot more configuration items available; these are only a select few for documentation purposes.
Configure shorewall: /etc/shorewall/zones:
#ZONE DISPLAY COMMENTS net Net Internet loc Local Local networks wifi WLAN Wireless network/etc/shorewall/interfaces:
#ZONE INTERFACE BROADCAST OPTIONS net eth0 detect dhcp,routefilter,norfc1918 loc eth1 detect dhcp wifi wlan0 detect dhcp/etc/shorewall/policy:
#SOURCE DEST POLICY LOG LIMIT:BURST/etc/shorewall/masq:
loc wifi ACCEPT wifi loc ACCEPT wifi net REJECT
#INTERFACE SUBNET ADDRESS PROTO PORT(S) eth0 eth1 eth0 wlan0/etc/shorewall/rules:
ACCEPT wifi fw udp 53,67,68 ACCEPT wifi fw tcp 22,80
squid; allow outbound HTTP / HTTPS from the firewall
ACCEPT fw net tcp 80,443 ACCEPT wifi fw tcp 3128
secured skippy.net services
ACCEPT wifi net:22.214.171.124 tcp 25,443,993,995
Install and configure the LEAF squid.lrp package: /etc/squid/squid.conf:
http_port 3128 cache_mem 2 MB maximum_object_size 1024 KB minimum_object_size 10 KB maximum_object_size_in_memory 8 KB ipcache_size 500 ipcache_low 90 ipcache_high 95 fqdncache_size 10 cache_dir ufs /tmp/cache 5 8 32 cache_access_log /var/log/access.log cache_log /var/log/cache.log cache_store_log none pid_filename /var/run/squid.pid dns_children 4 acl allowed_dstdomains dstdomain “/etc/squid/ok_domains” http_access allow allowed_dstdomains http_access deny all icp_access allow all cache_mgr email@example.com visible_hostname firewall logfile_rotate 3 append_domain .skippy.net forwarded_for onAgain, there are tons more config options. I’ve tweaked my cache behavior since I’m using this as a policy tool rather than a performance enhancing caching tool. That, and this system is running on a 486 DX4/100 with 32 megs of RAM, 12 of which are allocated to the system in a RAM disk. And I’m currently only providing access to two wireless hosts (unless my neighbors want to access any of the following sites, which is okay by me…) /etc/squid/ok_domains:
.microsoft.com .windowsupdate.com .google.com .bbc.co.uk
.skippy.net .upsoclose.com .everythinggirl.com .funbrain.com .nickjr.com .noggin.com .paulysplayhouse.com .scholastic.com .citycreator.com transfer.go.com .disney.com .disney.go.com .pbskids.org .care-bears.com .iknowthat.com .hhmi.org .sanrio.com
Configure dnsmasq to provide DHCP addresses to wireless hosts: /etc/dnsmasq.conf:
BACK UP EVERYTHING.
Done. I hope this helps someone else save a little bit of time and effort.