# Wireless help required

## riggagoogoo

Hi,

I am new to the world of wireless networking and currently have two PCs connected (workstation and server) via wireless connections in ad-hoc mode (I have no access point) and at present I have no security/encryption on the link.  

What encryption/security should I use (bare in mind this is all new to me!), as I want to bridge the connection to my LAN & WAN nic in my server to allow full LAN/Internet  access and how do I implement it.

Any detailed help on this would be appreciated

Cheers guys

RiGGa

----------

## NeddySeagoon

riggagoogoo,

The fact that you are using wireless is neither here nor there.

How you go about doing the bridging depends on what you want from the LAN side of the network and how many routable IP addresses you have.

Do you need network address translation (NAT) and IP Masqurading too?

NAT lets you use a private IP range on your LAN.  IP Masqurading makes packets to the internet appear to come from a single IP address, even though they originate anywhere on your LAN. You need IP Masqurading if your ISP has only given you a single routable IP address.

----------

## riggagoogoo

Ok thanks for the info, my set up is as follows:

1x laptop running XP with internal wifi card (unconfigured IP but assume I will use one in the 192.168.0.x range)

1x gentoo workstation with one NIC card in with an static IP address in the 192.168.0.x range

1 x Linux server with 3x NIC cards in as follows:

  Internal LAN card (eth0) static IP address in the 192.168.0.x range

  WAN card (eth1) which connects to my adsl router (router has the IP  assigned by my ISP), the nic (eth1) has a static IP in the  10.0.0.x range

  WIFI card (eth2) not set this up yet so does not have IP but I assume I need to put it in the 192.168.0.x range

The Linux server also firewalls the connection to the WAN card and does the NAT and IP Masq,  eth0 address is the gateway IP specified on the laptop and workstation PCs

What I want from the network is for the laptop and workstation to have full access to each other and the server plus  all being able to get out on to the internet.  

The only new part to my internal LAN is the laptop and the wifi card in the server (presently unconfigured) all other aspects work fine (i.e. nat and IP Masq).

I hope I have explained this well

Cheers

RiGGa

----------

## Dracnor

Well to secure the connection a little more, I would change the essid (most people leave this as the default on their Access Points) and the encryption key.  I would use the highest encryption your cards will allow.  This is not completely secure, but it will help.  You will need to set up an authentication system, LDAP, radius, LEAP, etc. because the encryption of wireless is too weak right now.

----------

## NeddySeagoon

riggagoogoo,

This is what I think you have

```

                              Server                Workstation

                        +--------------+        +---------------+

You have ADSL ----------| eth1         |        |               |

                        |         eth0 | ------ | eth0          |

                        |     WiFi     |        |               |

                        +------+-------+        +---------------+

                        Laptop With WiFi
```

You have a link in the 192.168.0.x range from Server to Workstation

You have a link in the 10.0.0.x range from server to ADSL router

You want to add the Wifi to the party.

The easiest way it to set up a ppp link over the wifi in the 192.168.0.x net. This has the drawback of not being expanable but either everything or nothing will work from the laptop. See man ifconfig if you want to do that.

Allocate the WiFi a new network 192.168.1.0 will do if you use a netmask of 255.255.255.0 on both your 192.168 nets.

Lets call the laptop 192.168.1.10 and the server 192.168.1.11

When you run /sbin/ifconfig on the laptop as in

```
/sbin/ifconfig eth0 192.168.1.10/24 gw 192.168.1.11 
```

You will also need to set the wireless extensions with iwconfig to suit your setup. See iwconfig -h

(The wlan may be wlan0 rather than eth0)

This should have set up a route in the routing table telling how to reach the 192.168.1.0 network via eth0 (or wlan0)

You need to add two more routes with

```

/sbin/route add default gw 192.168.1.11 eth0

/sbin/route add 192.168.0.0/24 gw 192.168.1.11 eth0
```

The first route tells how to route packets that don't fit other routing rules

the second rule tells how to reach the 192.168.0.0 network

You automate the IP address and gateway allocations by editing the /etc/conf.d/net file to suit.

You automate the static route addition by adding the command to /etc/conf.d/local.start.

The server should already be set up to do forwarding.

On the server do 

```
less /proc/sys/net/ipv4/ip_forward
```

 If all is well you should get the value 1. If not, do  echo "1" >/proc/sys/net/ipv4/ip_forward and put the command in the servers /etc/conf.d/local.start.

Set up the new interface on the server just as on the laptop (buut with a different IP. The laptop and server should now be able to ping each other by IP number. 

On the Workstaion, all that is required is to add the new static route to the routing table to describe how to reach the 192.168.1.1 net.

All combinations of ping by !P should now work on your lan but your laptop cannot yet reach the internet (well not if your firewall works)

You need to add some rules to your firewall so that it treats the 192.168.1.0 net the same as 192.168.0.0. How you do that is specific to your firewall.

With comms across you LAN working, you can now turn on the encrytion on the WiFi link.

If you update all the /etc/hosts files, ping by name should work too.

Oh, I haven't done a Ad Hoc wireless network before. My WiFi experiance comes from getting WiFi from a PDA running Linux working with a AP.

----------

## riggagoogoo

WOW! great post I really appreciate the time you have taken to go through it in such detail its all starting to make sense now, all that is apart from the where you state

 *Quote:*   

> The easiest way it to set up a ppp link over the wifi in the 192.168.0.x net. This has the drawback of not being expanable but either everything or nothing will work from the laptop

 

I take it that is one option and you then go on to show another way which involves setting up the WIFI on its on network - is this correct??

While looking for more info on this I came across several post that refer to creating a bridge, I guess from what you have detailed that I will not use this?, I also take it that if I had a AP this would also be a lot easier to implement correct??

Sorry if this is a dumb question but hey im learning!     :Very Happy: 

Cheers

RiGGa

Edit: Typo corrected

----------

## NeddySeagoon

riggagoogoo,

Using the ppp method is the simplest but you are stuck with a max of two nodes. If someone comes round for a wireless lan party you will need to set things up properly. You may as well do it properly now.

No you won't have a transparent bridge. You will have two network segments with routing between them and NAT to the outside world.

An AP may be eaiser. I have the routing going between a co-ax network segment (at 10Mbit) and an RJ-45 network segment (at 100Mbit)

I've used the PPP method over USB when I was downloading stuff into a handheld so I could get WiFi up. (Well, a serial link is so slooooow).

The AP acts as a transparent bridge and it almost just works. It would save all the messing with extra static routes, since you would only have your 192.168.0.0 subnet for everything. You would also need a switch (or hub) since you would have more than two devices on your single subnet.

If you really want to go the PPP way, I have a script that sets thing up at the complicated end for usb. Its not mine, I added loads of comments so I could understand what it does. You would only need to change the etherent device name thoughout and it would work for any interface type.

Don't forget aboout iwconfig to make the wireless extensions the same at both ends of the link. One end on channel 2 and the other end on channel 6 is not good for comms. 

Another drawback with PPP is that you have to run the script to bring the link up. I don't know how to automate it.

----------

## gwlinden

I have used ppp with ssh to secure my wireless lan, which worked OK, but is a bit of a hassle to set up.

Recently I switched to openvpn, which works great. It seems to be a bit more robust (e.g. recovering lost connections), and can be configured to start at boot. Downside is that it is a custom solution, so you need openvpn on both ends of the connection. Both my server and my laptop are running gentoo, and openvpn is in portage.

I followed the OpenVPN HOWTO (just google for it), using static encryption keys. It's important to set up a firewall properly, but that's also described in the HOWTO.

You still need to work out your routing/subnet details, as explained in the posts by NeddySeagoon. You can add any 'route' commands to the vpn.up file in /etc/openvpn/<vpnname>/. I did have to add a route on my ADSL router, so it knows that my gentoo server handles my wireless subnet (10.1.0.x). The ADSL router handles the fixed network subnet (10.0.0.x).

----------

## riggagoogoo

Great! thanks for the info guys, Im goina make a start on it tonite and finish it off tomorrow and I will post how  get on here.  I dont think I will go down the PPP route and once the wireless link is proven to work then I may stick it through a VPN, most probably FreeSwan as I want it to be compatible with XP and not need any client side (XP) software to be installed.

Cheers

RiGGa

----------

## riggagoogoo

Update:

Wireless card installed and appeared to work however on rebooting server card no longer works, I assume that its because I need to pass it the correct commands using iwconfig, however no matter which ones I try it wont come back to life, the commands I have used are:

iwconfig ath0 mode ad-hoc rate auto essid tester

I can see the wireless network called tester in XP and it says Ive connected to it but I can not send any packets between the server and the laptop, I know the routing is OK as I have for testing purposes disabled eth0 so only the wireless lan is in place and is the default gateway...

Any ideas?  

Any help appreciated as always

RiGGa

----------

## NeddySeagoon

riggagoogoo,

Post the routing tables from the laptop and the sever, along with the output from ifconfig on both boxes.

Your iwconfig doesn't mention channel. Are you sure both cards are on the same channel?

----------

## deeppro

if they aren't on the same channel, its XP box cannot be able to see its tester box ...

do you use wep ?

in that case, don't forget to use parameter "key open (s :Smile:  XXXXXXX with iwconfig 

if not this is not a wireless issue but just about routing ...

----------

## riggagoogoo

Sorry, I omitted to state that they are both on the same channel.  I can now connect between the boxes, what I did was set up my card as specified above and then on the XP Pc created a connection called tester and then it connected fine.  I assume you must do this for them to see each other and can not simply just select the desired network when it appears in the list? (seems weird to me but hey im new to wireless so i could be wrong!)

I havent got wep enabled yet as I was not sure how to do it plus I wanted to make sure the connection worked first without adding to the possible causes if it did not.

I take it to enable wep I just do:

iwconfig ath0 key s:password [1]

iwconfig ath0 key [1] open 

So those lines set and activate the current wep key and then on the XP pc I just select the network to connect to and when it prompts for a password enter the one I used above.???  I will give ita go and see what happens.

Thanks for being patient with me and helping, its appreciated

RiGGa

----------

## NeddySeagoon

riggagoogoo,

You may not be able to load the key with

```
 iwconfig s:
```

 at both ends of the link.

There is no standed for tuning strings into keys and different drivers do it differently, so you could end up with two different keys from the same pass phrase. 

I used a piece of an md5sum as  a source of hex digits for my key..

----------

## deeppro

you can use the same command for all...

It's not necessary to use this : [1] , i suppose you use only one key ...

```
iwconfig ath0 essid tester key open s:yourpwd
```

 will be nice ...

NeddySeagon >> the generated key is not coming from drivers and both XP and linux generate them in the same way

----------

## NeddySeagoon

deeppro,

Thts nice to know. My Linksys AP comes with a warning that it does its own thing because there is no standard.

----------

## deeppro

I just would say if its XP box can connect to its AP, it's linux box can in the same way ...

----------

## riggagoogoo

Thanks, all is going well now apart from I can not ping from the laptop to the workstation, I assume this is because I need to add eth0 (in the server) as the default gateway for the 192.168.1.x network (address the wifi cards are on) however I have tried running the following command on the server when assigning the IP address for the wifi card however it does not work:

ifconfig ath0 192.168.1.10 gw 192.168.0.5   (this is the eth0 card in server)

This just shows the error:

gw: No address associated with name

I must be doing something wrong, any ideas?

Heres my current routing table:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 ath0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

loopback        localhost        255.0.0.0       UG    0      0        0 lo

default         my.server          0.0.0.0         UG    1      0        0 eth0

Thanks again for all your help its appreciated

RiGGa

----------

## NeddySeagoon

riggagoogoo,

I would seperate out assigning IP addresses to interfaces and routing.

```
ifconfig ath0 192.168.1.10
```

 should assign the address, then you can use the route command (/sbin/route) to add routes.

You will have to add static routes this way anyway.

In the server you need 

```
route add -net 192.168.0.0/24 gw 192.168.0.5 eth0

route add -net 192.168.1.0/24 gw 192.168.1.10 ath0
```

Which is what you have got.

Did you check for forwarding? *Quote:*   

> The server should already be set up to do forwarding.
> 
> On the server do
> 
> Code:
> ...

 

----------

## riggagoogoo

I have checked and forwarding is on however still can not ping the laptop from the workstation.....  

I have turned off the firewall on the server and still can not ping the laptop...

 :Sad: 

----------

## NeddySeagoon

riggagoogoo,

Can you ping the other way around ?

Its quite possible to be able to ping one way and not the other.

If you are in this state, post the routing tables from all three PCs.

If all else fails, emerge tcpdump and see whats commming and going on the interfaces.

edit: try  incemental pinging, to the next interface in the link.

----------

## riggagoogoo

Nope cant ping the other way round either...  I have installed tcpdump and results are as follows when run on server:

tcpdump ath0

When pinging from workstation (192.168.0.2) to wifi card in server (192.168.1.11) I get nothing

When pinging from server (via wifi card) to laptop I get packets as expected and can ping fine.

tcpdump eth0

Loads of packets recieved as expected

I am still none the wiser   :Sad: 

Thanks for your continuing help on this its appreciated

RiGGa

----------

## NeddySeagoon

riggagoogoo,

The server wifi card is 192.168.1.10

The server eth0 is 192.168.0.5

Can you 

```
ping 192.168.0.5
```

 from the workstation?

Thats only 1 hop, so I expect yes.

Can you 

```
ping 192.168.1.10
```

 from the workstation?

If not, post the workstation routing table.

----------

## riggagoogoo

No the laptop wifi card is 192.168.1.10, servers is 192.168.1.11

Answers to your questions in order:

Yes

Nope (assuming you still mean 192.168.1.10)

However I can ping 192.168.1.11 (server wifi card) from the workstation.

Workstation routing table:

Kernel IP routing table

Destination     Gateway         Genmask         Flags Metric Ref    Use Iface

192.168.1.0     *               255.255.255.0   U     0      0        0 eth0

192.168.0.0     *               255.255.255.0   U     0      0        0 eth0

loopback        localhost       255.0.0.0       UG    0      0        0 lo

default         my.server        0.0.0.0         UG    0      0        0 eth0

This is driving me nuts now 

 :Laughing: 

----------

## NeddySeagoon

riggagoogoo,

Is it the same in the other direction - from the laptop can you ping the wifi and eth0 in the sever?

----------

## riggagoogoo

Yes.., it would appear that the problem is definately the routing on the server but i am at a loss as to what do to resolve it... you got ICQ? it seems you are actively monitoring this thread, may be easier to chat realtime? and then Ipost solution here for all to see if we come up with one...

----------

## NeddySeagoon

riggagoogoo,

I've never done icq - care to reccomend a client?

Next experiment:-

1 From the laptop, ping the workstation.

Use the IP number, not the name. If you have updated the /etc/hosts file,

you may have made a typo. Its one less place for things to go wrong.

2. Run tcpdump on the server, capturing packets from eth0 (to/from the workstation) Thats after packets have been forwared by the server.

You should get something like  *Quote:*   

> roy@spike roy $ sudo /usr/sbin/tcpdump
> 
> Password:
> 
> tcpdump: listening on eth0
> ...

 

If tcpdump can resolve the IPs to names and 

 *Quote:*   

> roy@spike roy $ sudo /usr/sbin/tcpdump -n
> 
> tcpdump: listening on eth0
> 
> 12:55:39.099436 192.168.100.18 > 192.168.0.10: icmp: echo request (DF)
> ...

  if it can't or you force it not to with -n

Look at the IP addresses in the request packets (you won't have replys just yet) are they correct?

Have you got an active LED on the server eth0?

Does it blink?

Have you got an active LED on the Workstation Ethernet card?

Does it blink?

With all this network activity still gouing on, run tcpdump on the Workstation.

It should caputure any packets on the wire, regardless of a correct IP address. Anything?

Post a few fragments.

----------

## riggagoogoo

For ICQ I would recomment either Gaim or Sim, I prefer Gaim myself.

I have sent you a PM with the latest update, I sent it before I read your last post here.  Once we have this nailed I will detail it here for others to see.

Cheers

RiGGa

----------

