# Gentoo wireless + HostAP setup procedure (long)

## dripton

My wireless network is working well now, so here's a brain dump before I forget what I did.  Hope it helps someone.

Goals:

1. Allow my Gentoo laptop to use the net from anywhere in the house without wires

2. Easy expandability and maintenance in the future

3. Low cost

4. Security

Solution:

Two Prism2-based 802.11b cards, one PCMCIA and one PCI.  HostAP driver on the PCI card to turn it into a managed access point; any working Prism2 driver on the PCMCIA card.  iptables firewall treating the wireless subnet as untrusted.

Stage One: Picking the NICs

Because I wanted HostAP, I had to use a Prism2 card on the gateway box.  Prism2 cards are among the cheapest and best-supported cards out there, so I decided to use another one for the laptop.

After some web searching I chose a D-Link DWL-520 (*not* the 520+, which uses an unsupported TI chipset) PCI card and a Netgear MA401NA PCMCIA card.  There are probably other equally good choices.  But you need to make sure that the card you choose *still* uses the Prism2 chipset.  Some cards that formerly used the Prism2 chipset (e.g. Linksys WMP11, D-Link DWL-650) have switched to other chipsets, without changing model numbers.  Also, when picking a PCI card, make sure it really is a standalone PCI card, not a holder for a PCMCIA card.

I got both cards from newegg.com (picked using the algorithm "check pricewatch and go with the cheapest place you've had good luck with")-- $66 for the DWL-520 and $55 for the MA401NA, plus $7 s/h.  The local Best Buy wanted $80 for the MA401NA and didn't have the DWL-520 (or any other Prism2 PCI card) in stock.

Stage Two: Kernel configuration (both machines)

http://trekweb.com/~jasonb/articles/hostap_20021012.shtml

shows what you need to do.  I just followed his directions.  I'll give a bit more detail below, but I'm not rewriting the Kernel-HOWTO.

I already had the vanilla 2.4.19 kernel source.  Downloaded the 2.4.20-rc1 patch from http://kernel.org, installed wireless-tools (Gentoo has an ebuild for it), downloaded the latest HostAP driver from http://hostap.epitest.fi, and grabbed the wireless extensions v15 patch from http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/iw252_we15-5.diff

Copied all of the above over to /usr/src.  su to root, mv my existing 2.4.19 tree to a new name so it wouldn't be overwritten, untarred the 2.4.19 source, rm the linux symlink and repointed it to the new 2.4.19 dir, patch -p0 < filename on the 2.4.20-rc1 patch and the wireless extensions patch.  All patches applied okay.  I then renamed the new kernel tree kernel-2.4.20-rc1, renamed my old 2.4.19 tree back to 2.4.19, copied my old .config file into my new tree, used "make menuconfig" to turn on the 

"Wireless LAN (non-hamradio)" and "802.1d Ethernet Bridging" options, and ran "make oldconfig" just in case any new options snuck into 2.4.20-rc1.  Then I backed up the new .config  and did "make dep clean bzImage modules modules-install"  When it finally finished I mounted /boot, copied arch/i386/boot/bzImage to /boot/bzImage.2.4.20-rc1, and added an entry to /boot/grub/menu.lst for the new kernel.  Rebooted, saw that the new kernel worked, and changed menu.lst to make the new kernel the default. Then I repeated the whole procedure on the other box.  When I was done I re-emerged pcmcia-cs on the laptop just to make sure it was in sync with the kernel.

Stage Three: HostAP compilation (gateway)

HostAP depends on the kernel, which is why I installed the updated kernel first.  Compiling HostAP for PCI is a breeze.  Basically just expanded the tarball into a tmp directory, read the README files, did a "make pci" and a "make install_pci" and then a modprobe hostap_pci to ensure that it loaded.  Loaded, with no errors in the logs.

Stage Four: orinoco_cs (laptop)

There are multiple choices of prism2 drivers: HostAP, orinoco_cs, and wlan_ng.  The HostAP docs say that it's probably not as good as the other drivers for non-access-point use.  orinoco_cs was already installed by pcmcia-cs and has a reputation for being easier to configure than wlan_ng, so I decided to try orinoco_cs first.  Since it was already there I just did a modprobe test.  Loaded okay.

Step Five: Manual configuration

http://trekweb.com/~jasonb/articles/hostap_20021012.shtml

has examples of the ifconfig and iwconfig commands it takes to bring up wireless cards.  I followed the examples, and didn't see any errors, and pinged, and it didn't work.  I eventually saw that the MAC address of my gateway NIC was in my laptop's iwconfig output, which meant they were talking.  At that point I realized my firewall was blocking the pings, unplugged the network cable to the cable modem, and turned off the firewall.  Then the pings worked.  Duh.

Stage Six: Gateway configuration

The gateway box is actually still running RedHat 7.3 not Gentoo, so I won't go into too much detail.  Keep in mind that the configuration values are the same because both are using iwconfig; it's just a matter of which config files they go in.  When I get around to Gentooizing this box I can post more details if that helps someone.

/etc/modules.conf     alias eth2 hostap_pci

/etc/sysconfig/network-scripts/ifcfg-wlan0

DEVICE='wlan0'

IPADDR='192.168.1.1'

NETMASK='255.255.255.0'

NETWORK='192.168.1.0'

BROADCAST='192.168.0.255'

ONBOOT='yes'

GATEWAY='192.168.0.2'        # The wired gateway.  I know, using .2 is weird.

WIRELESS_MODE='Master'

WIRELESS_ESSID='pick your own name here'

WIRELESS_CHANNEL='1'

In Gentoo most of these settings would translate directly into the equivalent in /etc/conf.d/wlan0, like in the laptop config below.  The only thing I'm not sure about is where WIRELESS* would go.  They normally go in wireless.opts, but this is a desktop with no pcmcia support so there is no wireless.opts.  But remember they're just arguments to iwconfig, so if you can't find a good config file you can always just hardcode the full iwconfig commands in a startup script.

Stage Seven: Laptop configuration

I used eth0 instead of wlan0 for some reason.  (It was late.)  I will probably fix this later for consistency.

/etc/conf.d/net

iface_eth0="192.168.1.10" broadcast "192.168.1.255" netmask "255.255.255.0"

gateway="eth0/192.168.1.1"

/etc/pcmcia/wireless.opts

ESSID="pick your own name here"

MODE="Managed"

CHANNEL="1"  # change if needed

RATE="auto"

Left the others at default

Stage Eight: Testing the startup scripts and config files

Rebooted both boxes to ensure that the wireless config came up correctly at boot.  The logs looked good, but I couldn't ping.  Turned off the firewall (didn't take as long to figure out the second time) and it worked.

Stage Nine: Fixing the firewall

Several wireless LAN examples include bridging the wireless subnet to the LAN subnet.  Nice trick, but *DON'T DO THAT* in an environment where security matters at all.  Wireless clients need to be treated as external to the firewall, or else anyone wardriving your wlan is all the way in.

My iptables firewall is based on one of Oskar Anderson's examples: http://iptables-tutorial.haringstad.com/chunkyhtml/x4754.html  I had tweaked the allowed and denied ports for tcp and udp, but otherwise it was all Oskar's.

Because your firewall is certainly different than mine, and because I don't want to advertise the exact ports I let through, I'll give a general description of the changes rather than the whole file.

I added parallel entries for WLAN_INTERFACE, WLAN_IP, etc. just like for the existing LAN_* and INET_*, and filled in the proper values.

I set the  FORWARD and OUTPUT rules for the WLAN_IFACE just like for the LAN_IFACE.

I set the INPUT rules for the WLAN_IFACE just like for the INET_IFACE.  (*Not* the LAN_IFACE -- remember, I don't trust the wlan.)

Then I made clones of the tcp_packets and udpincoming_packets chains with "wlan_" in front of the names, so I could change the allowed and denied ports for INET and WLAN independently.

I didn't setup WEP, because it's been cracked.  I could use ipsec, but I already use ssh and scp rather than telnet and ftp.  I guess someone could snoop my non-SSL web traffic or non-GPG email by radio, but they could also snoop it between the cable modem and the remote site, where I have no control, so why bother trying to stop this?  Just don't ever type sensitive data into non-SSL web pages or non-GPG emails, because you just can't secure the whole Internet.

Stage Nine: Range testing

The gateway is in the basement, so I took the laptop up to the top floor and checked my email.  No problem.  I then took it outside and walked around with a ping going.  The network worked fine to about halfway down my driveway.  Didn't measure, but probably about 15 m plus a floor of elevation change and an exterior wall.  Guess I don't have to worry too much about wardrivers, unless they come into my driveway or their laptops have much better antennas than mine.  (Which they of course do.)

Step Ten: Speed testing

pings are mostly in the 2.5 to 3 ms range.

$ scp linux-2.4.19.tar.bz2 bugsy:

linux-2.4.19.tar.bz2 100% |*****************************| 25432 KB    00:45  

26042494 bytes / 45s = 578722 bytes/s * 8 bits/byte = 4629776 bits / s.

So over 4.6 Mbps.   Fast enough.  So I'm sticking with orinoco_cs for now, rather than trying wlan_ng or HostAP on the laptop.

scp of course understates the bandwidth available because of the encryption overhead.  I could download a "better" benchmark that gives higher numbers and shows my "real" bandwidth.  But in reality scp'ing big files around is the most demanding thing I'm likely to do, so it's a fair test.  (My Internet connection is much slower than the wlan, so it won't bottleneck remote stuff.)

----------

## rizzo

I'm setting this up on my Gentoo gateway as we speak.  I'll update with any differences I've found.  My client is going to be my compaq iPAQ running familiar linux with a D-Link DCF-650W compact flash card for wireless.  My gateway box has the Linksys WMP 11, along with the two land-line NICs that were in previously.

If you have any updates I'd like to see them.

----------

## rizzo

You might want to note that all devices need to have the same ESSID and channel number.  The ESSID one bit me in the ass.

I'll probably work on your post and come up with a co-authored doc for Tips n Tricks, if you don't mind.

----------

## dripton

Sure, feel free to reuse.

Yes, ESSID and channel must be consistent throughout the wlan.  I should have noted that explicitly.  Note that using an ESSID consisting of only non-printable characters is said to foil some wardriving programs.  (While also making maintenance that much harder.)

I didn't include the step of setting up a DHCP server for the wlan, because I haven't actually done that yet.  And I haven't gotten around to upgrading my gateway box from RedHat to Gentoo.  I will update this thread when I do those things.

----------

## rizzo

Yeah right now both my gateway (gentoo p200) and client (familiar ipaq) are running in Ad-Hoc mode.  Eventually I'd like to be able to have the gateway be a true WAP.  I'm told this means it has to run in Master mode and be doing DHCP.  Assuming I just need to add a DHCP config line for interface wlan0 (I already have it for eth1), that might not be so tough.  So then I could just set my ipaq to "managed" mode and it would automatically pick up.

All I know about wireless I learned this past weekend, so I may be way off.

----------

## dripton

 *Quote:*   

> Yeah right now both my gateway (gentoo p200) and client (familiar ipaq) are running in Ad-Hoc mode. Eventually I'd like to be able to have the gateway be a true WAP. I'm told this means it has to run in Master mode and be doing DHCP. Assuming I just need to add a DHCP config line for interface wlan0 (I already have it for eth1), that might not be so tough. So then I could just set my ipaq to "managed" mode and it would automatically pick up. 

 

Right.  Of course you need to be running the HostAP driver on the gateway, because it's the only one that supports Master mode.

----------

## rizzo

I'm running hostap_pci on the gateway and hostap_cs on my client.

----------

## dripton

Adding a DHCP server was easy.  The only trick is that most of the dhcpd configuration goes in /etc/dhcpd.conf, but the network interface does not.  Instead it's an argument to the dhcpd command line.  For Gentoo it goes in /etc/conf.d/dhcpd

----------

## rizzo

Yup I got it going this weekend and my gateway is now a true access point in Master mode, and my ipaq picks it up instantly when I plug the CF 802.11b card in.  It's a thing of beauty.

Now just to find the money to pay for the cards.  *sigh*

----------

## rizzo

OK I have my gateway going as normal with the wired LAN on 172.16.30.0 and the wireless LAN on 172.16.32.0.  Both can route to the internet and talk to each other.  However we play various games that when you select "LAN" they only check the local subnet for whatever reason.

So what I'd like to do is get the wireless LAN on the same subnet as the wired LAN.  Basically I'm wondering how I would set that up?  My eth1 (wired lan) is 172.16.30.1, and my wlan0 is currently 172.16.32.1.  I tried setting wlan0 to 172.16.30.2, and changed DHCP accordingly.  The wlan clients got DHCP info, but couldn't route anyware or even ping the gateway box.

----------

## dripton

 *Quote:*   

> So what I'd like to do is get the wireless LAN on the same subnet as the wired LAN.

 

You bridge the two interfaces.

This link shows how to do it:

http://trekweb.com/~jasonb/articles/hostap_20021012.shtml

Think about the security implications first.

----------

## rizzo

Ahh very cool.  So I just bridge wlan0 and eth1.  Then in my iptables firewall I replace all occurances of eth1 with br0, and I can get rid of the otherwise duplicate wlan0 references.

Then I just tell DHCP to use the br0 interface?  How do I get it to bridge on startup?  Will I just have to make a net.br0 script and add a br0 entry in the confd/net script?

Update:

Aha it works great.  I haven't tested out the automatic starting scripts but I'll worry about that later.

Thanks.

----------

## Xepher

Ok, I've got 2 problems here...

I'm using a netgear ma311 wireless card in my server, and I'm attempting to bridge it to my ethernet network so that my roomate can use his compaq laptop (winXP)

Problem 1... When I'm using the card in master (Access point) mode, I can't connect with the laptop. I've double checked all the keys, settings... tried different channels, even no encryption... The laptop even sees the network and its ESSID in the config, but just won't connect to it. Ad-hoc mode seems to work fine though, so I've been using that for now. My guess is that it's some flaw in communcation between what windows looks for in an AP and what linux provides. Possibly that the card doesn't generate a beacon or some such nonsense.

Problem 2... Using ad-hoc mode. Got this up and working, and then tried to bridge the wireless lan with the wired lan. Followed all the above instructions and got no errors. Here's the odd part... DHCP works fine... that is the laptop properly configures itself via the dhcp server which is a seperate physical machine than the wireless access point. Thus, I surmise the bridge is working. However...

When I try to use any IP based protocols (pings, www, ssh, etc.) Nothing goes through. I can connect to the bridging box via the bridge IP, but I can't ping anything else on the network, and nothing else on the network can ping the laptop.

My guess was that something in the kernel's routing/QoS behavior was hooking IP packets before the bridge got 'em. I disabled everything non-esential in the kernel network config, recompliled, and still had the same problem. I really don't know what more to try on this.

What I finally settled on was using normal ip forwarding on the access point machine (still in ad-hoc), and setting the laptop on it's own subnet (manually configured.) This is _not_ the unified solution that I'd like to see. Anyone have any suggestions?

Oh, and I do know about the inherent danger in bridging a wireless network to a private subnet as well as the "better" solutions involving routing, iptables, NAT, etc. But I still think bridging better serves my needs. (AKA IPX gaming)  :Smile: 

Thanks!

----------

## BradN

Xepher:  What driver are you using with your wireless card?  I think you need to use HostAP or find a way to get an updated (illegal?) firmware on it.  It sounds like your problems are the same as mine when I try to use my prism card with just the normal orinoco drivers.  I'm still trying to figure out a good way to do this...

----------

## Xepher

I am using the hostap drivers. Nothing seems amiss as far as errors are concerned. The only catch is that the laptop can't connect to the network.

I'm pretty sure the bridge problem is entirely seperate from the drivers, since, as I said, dhcp packets seem to get through just fine. Only IP packets get hung up somewhere in the middle.

----------

## razamatan

what if the wireless network provides internet connectivity...

that is... can the wireless nic act as the ap AND a client???

----------

## luggage

gentoo has an ebuild for hostap. It's in testing, so to install it do:

```
ACCEPT_KEYWORDS="~x86" emerge hostap
```

This will put the binaries in the modules directory for you, so after emerging, simple do:

```
modprobe hostap_pci
```

Now I'm trying to fnd a good clean way to integrate the config in /etc/init.d/net.wlan0 so it's gentoo-style.

Mine is a PCI card to, so no wireless.opt

----------

## dripton

Updating an ancient post for the benefit of people who find it via search:

I updated my tri-head (eth0 to hub to 100 Mbps wired LAN, eth1 to cable modem, wlan0 to wireless LAN) gateway / firewall box to Gentoo.

There are 4 different hostap ebuilds.  net-wireless/hostap is masked; I don't use it.  I have net-wireless/hostap-driver, net-wireless/hostap-utils, and net-wireless/hostapd installed.  (This box has a 2.4 kernel.  The ebuilds do not currently work with 2.6; if you want hostap on 2.6 you're going to need to do more work.)  hostapd is setup to run at boot from the default runlevel.

Configuration for all three NICs is in /etc/conf.d/net.  The wireless-specific configuration is in /etc/hostapd/hostapd.conf.  I have "macaddr_acl=1" to only accept whitelisted MAC addresses, and the MAC addresses of my other wireless cards in etc/hostapd/hostapd.accept.  I didn't have to install pcmcia or use any pcmcia-specific config files.

----------

