# linux router question...

## Gentoo Bob

I'm wanting to turn my Gentoo linux box into a router but not just a wired router but also a use it as a wireless router.  I have talked to a few people who have accomplished this but never got the instructions.  I know I need to buy a wireless PCI adapter card that is capable of Ad-hoc/access point networking.  Can anyone help me get this going?  I would really appreciate it.  

Thanks,

Gentoo Bob

----------

## hegga

I know this doesn't answer your question, but it is an alternative.

I've got an wireless Zyxel Zyair router, and i wanted Gentoo to be my router. So

i installed and configured my Gentoo router, connected it to the ADSL modem and in the

kable switch on my Zyair. I then disabled dhcp on my Zyair since it's running on the Gentoo machine.

All my wireless laptops now receives an ip from the Gentoo machine, without having to buy a wireless card to it.

Just a tip incase you have a wireless router laying around, i'm very satisfied with the solution.

----------

## Voorhees51

Just a suggestion, if you're not dead set on using gentoo you could take a look at monowall http://www.m0n0.ch/wall/ It does will do it for you, it's a farily easy setup.

 Also for the wireless card, one that uses the atheros chipset is my recomendation, I haven't had any problems with them.

----------

## a5friemen

I have a gentoo box as a router for my home network.  It's not hard.  I would recomend, though, that you use a wireless bridge or router rather than a wireless card in the machine.  You will have MUCH more range and more flexibility with your network topology.  

I'm using a Cisco/Lynksys wireless broadband router and I added the Linksys high gain antenna set.  I have wireless anywhere on my property.  Total was around US$100 from a Nationwide Wal-store.  I only use it as a wireless bridge.  I have disabled the Broadband, routing, DNS, NAT, DHCP, etc. on the router.  It's just not configurable enough for me.  It is used for WEP and WPA, and if you want to allow friends/public on the wireless net it can query a RADUIS server.  It also has 4 10/100 wired ports that I use for my wired network.  If you need more a hub can be easily uplinked.

My Gentto router box is an old desktop system that I don't have any other use for, and has three wired 10/100 cards.  One to connect to the wireless router, one to my cable modem, and one that I use for a DMZ to run public servers.  On this box I run gShield firewall, and DHCP and DNS for the local network.  (this isn't the safest setup, it would be better on a different box on the local net)  I have iptables and NAT enabled in the kernel as modules.  This box forwads the public server ports to the DMZ.  You don't need this if you don't plan to have any publicly available servers.  Setup took less than a day, and was mostly defaults.

Obviously this is very general, if anyone would like specifics please ask, and I'll try to put together a detailed HOWTO.

----------

## erik258

I also want a wireless router/gateway/firewall. 

Currently I have a $12 belkin wireless B AP.  It works OK.  Actually it works pretty great for internet access, and I would definitely suggest to someone needing to add Wireless to an existing network that this might be a good choice.

However I find it less than ideal for a few reasons.  Firstly, the configuration utility is a windows program ;; (.  Of course, I can always boot into windows, but who wants to do that?  Of course I handle all the other network stuff, incuding network services, from linux, so it's a pain in the ass to have to reboot a box to get to the configuration utility.  Actually, in general the belkin configuration system leaves a lot to be desired.

Secondly I want to 'bump it up a notch' and move to G.  I put in a samba fileserver that just crawls over the B ap.  

Thirdly I want better control over packet shaping.  I know I could do this concerning my AP's ip address instead of adding a card, but it seems like a card is a lot cleaner.  

I already have a D-Link DWL-G520, I think, maybe it's a 510.  It has an Atheros chip and of that I can be sure without opening up the box of the computer which I'm not within 20 miles of right now.  good ol' ssh ; ).

Can anyone tell me: 

1 Can I use this Atheros-based device as an AP?  

2 Can I make it work just like my belkin did, for all intents and purposes?  

3 What network topology do I want?  *

   -and-

4 Can I use MAC address filtering so only people I know can use the G connection?

 (* I would like it if I could get back at my wired subnet, to ssh into the computers wirelessly and use their services. However, can I do this?  That subnet goes out eth1 on my router, and into a switch.  The ap is hooked up to that.  Do I need a new subnet?  I need dhcpd to listen on ath0  (the atheros device) at least, and dnsmasq too.  )

As you can see, I'm about 70% clueless about how this would work.

also,  does anyone have any thoughts/ideas about setting up traffic shaping on my old B wireless AP so that my poor internet-lacking neighbors, if they have wireless, can use a trivial amount of my substantial bandwith?  Any ideas or advice on that? 

Thanks, this is a project in which I am most interested.

----------

## UberLord

 *erik258 wrote:*   

> 4 Can I use MAC address filtering so only people I know can use the G connection?

 

MAC addresses can be spoofed.

Signed SSL certs cannot be yet as we know it, so use an unencrypted wireless network and use openvpn over the top of it and give each client their own signed cert. Just for a laugh, let un-encrypted wireless get DHCP addresses and do DDNS so they can see each other, but not your server or the internet.

My neighbour spent 30 mins informing me about how insecure my wireless network was and how we could walk me through securing it using WEP a few weeks ago ..... funny stuff  :Smile: 

----------

## erik258

Thanks for your reply; developers make the most helpful replies.

 *Quote:*   

> MAC addresses can be spoofed. 

 

but aren't they going to find it pretty  difficult to guess just the right 12 hexidecimal digits to spoof?  Unless they're already connected of course...

That having been said, VPNs are always a neat idea.  I will check that out.  

 *Quote:*   

> use an unencrypted wireless network and use openvpn over the top of it and give each client their own signed cert--, let un-encrypted wireless get DHCP addresses and do DDNS --
> 
> 

 

This sounds adequate, but not optimal.  I have a few different computers connecting to the network, not a vast amount, but of a few seperate breeds.  One is a windows box -- never fun to have to get system services and such working on those things.  I could use wep except ... do i want to?  It just seems so unnecessary if instead I can just make sure only my mac addresses are associated with.  Or WPA, but again, so complicated.  That's why I like the mac address solution, it's easy, doesn't scale well but i don't need it to, and especailly nice, no client-side configuration at all.  It just works.

and What's this about 'DDNS' ? I don't understand that at all... and by the way, could I use IPTABLES for this?  Could I achieve the same results by setting up my DNS so that MAC addresses that I supported would get valid ip addresses and routing info,  but others which I did not authorize would get bogus IP addresses and my IPTables would inevitably, silently, drop their packets into thin air?  And if i did do this, could they get around it by just changing their ip address, guessing at default route and gw?  Sorry, i'm pretty much ignorant with this stuff.  Care to help correct that? 

On a side note, i do get to snicker at my neighbors just  a little bit, because they can see my current AP but can't associate with it, even though it says it's not secured   :Twisted Evil: 

I also have wonderances about the 'Public AP' idea .  I was thinking, i want it to be outside of my internal network, untrusted.  Is there any way to do that?  Maybe an IPTables route that only allows traffic from the internet interface to the wireless interface with nothing in between?  Or is this questino not clear?  Is this all just a stupid idea, giving them poor quality internet access?  One of my other neighbors has a totally open "Pre-N" wirelessrouter anyway... but it might be fun...

----------

## UberLord

 *erik258 wrote:*   

>  *Quote:*   MAC addresses can be spoofed.  
> 
> but aren't they going to find it pretty  difficult to guess just the right 12 hexidecimal digits to spoof?  Unless they're already connected of course...

 

They could in theory just listen to the wireless traffic and work out the MAC addresses after a few mins. Then they could connect.

 *Quote:*   

>  *Quote:*   use an unencrypted wireless network and use openvpn over the top of it and give each client their own signed cert--, let un-encrypted wireless get DHCP addresses and do DDNS --
> 
>  
> 
> This sounds adequate, but not optimal.  I have a few different computers connecting to the network, not a vast amount, but of a few seperate breeds.  One is a windows box -- never fun to have to get system services and such working on those things.  I could use wep except ... do i want to?  It just seems so unnecessary if instead I can just make sure only my mac addresses are associated with.  Or WPA, but again, so complicated.  That's why I like the mac address solution, it's easy, doesn't scale well but i don't need it to, and especailly nice, no client-side configuration at all.  It just works.

 

You'll need some client side config, like choosing the right access point, dhcp or static. OK, so making your own SSL certs per box is a little more work, but the extra security and peace of mind it gives is worth it IMO.

 *Quote:*   

> and What's this about 'DDNS' ? I don't understand that at all...

 

Dynamic DNS. My server runs DNS and serves DHCP. When a DHCP client called 'bob' connects, it adds 'bob' to the DNS domain for the DHCP server so local clients can now ping 'bob' by name instead of having to know his IP address. Handy for LAN parties  :Smile: 

 *Quote:*   

>  and by the way, could I use IPTABLES for this?  Could I achieve the same results by setting up my DNS so that MAC addresses that I supported would get valid ip addresses and routing info,  but others which I did not authorize would get bogus IP addresses and my IPTables would inevitably, silently, drop their packets into thin air?  And if i did do this, could they get around it by just changing their ip address, guessing at default route and gw?  Sorry, i'm pretty much ignorant with this stuff.  Care to help correct that?

 

Yes you could, and yes you can easily get around that. Changing IP addresses is trivial, and spoofing a MAC addreses is slightly harder but still easy todo. As you have the "vpn" interface on the server you can trust all traffic from that as it's secure. Well, as secure as the vpn is and it doesn't get any harder then signed ssl certs.

 *Quote:*   

>  *Quote:*   On a side note, i do get to snicker at my neighbors just  a little bit, because they can see my current AP but can't associate with it, even though it says it's not secured    
> 
> I also have wonderances about the 'Public AP' idea .  I was thinking, i want it to be outside of my internal network, untrusted.  Is there any way to do that?  Maybe an IPTables route that only allows traffic from the internet interface to the wireless interface with nothing in between?  Or is this questino not clear?  Is this all just a stupid idea, giving them poor quality internet access?  One of my other neighbors has a totally open "Pre-N" wirelessrouter anyway... but it might be fun...

 

Sure, that's what I do.

10.x.0.0/24 is my LAN ethernet. If you're wired you get basic services and internet

10.x.2.1/24 is my wireless ethernet. You only get internal DNS and dhcp.

10.x.1.1/24 is my VPN which listens on both wired and wireless connections. Connect to this and you get full network access.

----------

## erik258

thanks again.  this is really helpful.  

 *Quote:*   

> They could in theory just listen to the wireless traffic and work out the MAC addresses after a few mins

 

that's logical thank you. I don't think it's a big concern necessarily... but you never know who's gonna be living downstairs next month, you know ?  you've definitely convinced me against that  solution.

knowing nothing about vpn's, how long do you think it would take me to set up?   i guess I could delve in... 

any thoughts about using an encryption scheme instead, something that might be easier to support on multiple, heterogenous wireless hosts?  

 *Quote:*   

> as secure as the vpn is and it doesn't get any harder then signed ssl certs. 

 

i'm sorry, i don't understand that sentance.  any harder to configure?  To crack?  I have ignored for now, let me know if it's important

 *Quote:*   

> it adds 'bob' to the DNS domain for the DHCP server so local clients can now ping 'bob' by name instead of having to know his IP address.

 

that's awesome.  I am already actually running both dhcp and dns ('dnsmasq') is that sufficient for getting hostname from hosts themselves? If so, can you help me configure it?  That would be awesome.  I just need the line and the file, if you know what i mean.  Do the names come from each dhcp client's internal hostname?  awesome...

thanks again, you should know you're doing some weighty consulting for top-level topology adjustments on a network of 6 or more hosts ; ) 

happy linuxing.

----------

## kill[h]er

 *UberLord wrote:*   

>  *erik258 wrote:*    *Quote:*   MAC addresses can be spoofed.  
> 
> but aren't they going to find it pretty  difficult to guess just the right 12 hexidecimal digits to spoof?  Unless they're already connected of course... 
> 
> They could in theory just listen to the wireless traffic and work out the MAC addresses after a few mins. Then they could connect.

 

It's quite a bit simpler than that, even.  You can defeat mac filtering simply by spoofing your mac as the mac of the AP.  the AP's mac has to be trusted, so an attacker can bypass mac filtering in less than a minute.

funny story, i went to CEH (certified ethical hacker) class and the instructor didn't even know that one.  i proved it to him.

----------

## UberLord

 *erik258 wrote:*   

> knowing nothing about vpn's, how long do you think it would take me to set up?   i guess I could delve in... 

 

You can setup a simple openvpn client/server in minutes using a static key

http://openvpn.net/static.html

 *Quote:*   

>  *Quote:*   as secure as the vpn is and it doesn't get any harder then signed ssl certs.  
> 
> i'm sorry, i don't understand that sentance.  any harder to configure?  To crack?  I have ignored for now, let me know if it's important

 

I mean that they will need a copy of the ssl cert to connect. So if you protect the certs (only root can read fex) then it's good.

 *Quote:*   

> that's awesome.  I am already actually running both dhcp and dns ('dnsmasq') is that sufficient for getting hostname from hosts themselves?

 

dnsmasq does this without any extra config by default  :Smile: 

 *Quote:*   

> thanks again, you should know you're doing some weighty consulting for top-level topology adjustments on a network of 6 or more hosts ; )

 

 :Smile: 

----------

## erik258

that's great.  thanks again.

----------

## erik258

Hi. 

I've spent a few days setting this up on my router, but to no avail.  But i'm close, very very close I think.

I haven't gotten to the security part yet... i guess it seems like that's only important if I can get DHCP and DNS working.  And ipTables too.  

Here's my problem.  I can set up the wifi as an ap.  It was a little difficult, but only insofar as I -gasp- had to do some sleuthing and read some instructions.  I can set up my laptops (clients) to connect to it and if I configure the ip address, gateway, nameservers it works.  But (as you guessed already) dhcp does not work. I have no idea why.

Ironically, I was doing really well at first.  I had problems with my iptables, or so I think.  I am using the Gentoo Home Router Guide http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap4 as a reference.  (is it just me, or is iptables pretty tricky? )  I think these lines are the problem: 

 *Quote:*   

> # iptables -A INPUT -p TCP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP
> 
> # iptables -A INPUT -p UDP -i ! ${LAN} -d 0/0 --dport 0:1023 -j DROP

 

as you may know, the howto has an export line so that $LAN is properly defined.  But I have two, seperate 'LAN' devices, a wired lan the box already NATs for, and the wireless card which i would like it to NAT for.  

My solution was to simply retype all the LAN commands for both  devices, and remove references to '! ${LAN}', replacing them with 'eth0' instead which is my link to the outside world.  Please tell me, does this work properly?  It seems to, at least once I set net address etc. manually.  And at first I forgot to set /proc/sys/net/ipv4/conf/ath0/rp_filter, but once i enabled that, all was good for internet forwarding, or so it seems.

My DNS was/wasn't working, I think the line *Quote:*   

> # iptables -A INPUT -p UDP --dport domain -i ! ${LAN} -j REJECT

  may have broken it.  I fixed that, obviously, and now it seems to work.  Does that make sense?  Or was it just a co-incidence?

If all my assumptions above are correct, no need to bother yourself answering them all.  But I would really appreciate it if you looked over my dhcp.conf file, if nothing else

 *Quote:*   

> davey dhcp # cat dhcpd.conf
> 
> authoritative; 
> 
> ddns-update-style ad-hoc;
> ...

 The domain-name-servers part is correct in the file; it was set to my ISP's nameserver ip, though, so I didn't want to publish it here.  Seems taboo on these forums at least.

Any problems you see there?  

And maybe if you could help me with DNS too, I would love it if you checked this over for me, maybe answered the following questions...

 *Quote:*   

> davey etc # cat /etc/dnsmasq.conf | grep ^[^#]
> 
> domain-needed
> 
> bogus-priv
> ...

 

the lines w/ ###...### are the only ones I changed when setting up the router for the wired ethernet.  I haven't changed anything else yet.  

Is the fact that I have a domain set to 'apt311.net' but tell my wireless dhcpcd-given hosts that they're a part of a 'g.apt311.net' a potential problem?  Can I set two domains?  

Do I need to run two domain servers, each for a domain, and use the bind-interfaces option?  I don't even know if I can run two seperate ones at once with dnsmasq...am I asking too much from this simple program?  Would I have an easier time if I just set up my wireless lan to get ip addresses in the 192.168.1.0 subnet, in a different range than my wired lan gets?  Can I do that?  Do I need to add my wireless interface to the 192.168.1.0 subnet instead of 192.168.2.0?  

I apologize for such a long post.  As you can see I am confused.  I'll keep hacking at it whenever I'm home, and If you (or anyone else) has any ideas for me, I would love to hear them.  

Thanks a million.

                                                     --dan

'

----------

## UberLord

 *erik258 wrote:*   

> Ironically, I was doing really well at first.  I had problems with my iptables, or so I think.  I am using the Gentoo Home Router Guide http://www.gentoo.org/doc/en/home-router-howto.xml#doc_chap4 as a reference.  (is it just me, or is iptables pretty tricky? )  I think these lines are the problem: 

 

Personally I don't like the firewall in the home router guide, so I wrote a small script to make things nice and easy

http://dev.gentoo.org/~uberlord/firewall

I use it on my workstations without any config, but with this config on my server

```
LOG=false

PORTS_IN="auth domain ssh http https ftp ftp-data 50000:50100 imap \

    imaps smtp openvpn kerberos klogin"

NFS_PORTS="2049 32764:32767 4001"

PORTS_IN_IP=(

        "10.73.0.0/24 10.73.1.0/24 fee1::/64"

        "syslog 137:139 ipp postgresql portmapper rsync ldap ldaps ${NFS_PORTS} bootps bootpc tftp ntp 3689"

        "10.73.2.0/24" "bootps bootpc"

)

LOCAL_IPV4="10.73.0.0/24 10.73.1.0/24"

LOCAL_IPV6="fee0::/64 fee1::/64"

PORTS_OUT="@ALL"

FORWARD_IPV6="2001:618:xxxx:xxxx::/64"

BLOCK="84.50.48.131"

FORWARD_INTERFACES=( "vpn lan" )

FORWARD_INTERFACES_IPV6=( "vpn 6to4" )
```

There's some overlap in the config as one part is currently a work in progress, but hey. Works For Me

 *Quote:*   

> 
> 
> If all my assumptions above are correct, no need to bother yourself answering them all.  But I would really appreciate it if you looked over my dhcp.conf file, if nothing else

 

Hold it. You cannot mix dhcp with dnsmasq as dnsmasq does its own dhcp. Stop using it and just use dnsmasq  :Smile: 

Then you will be golden  :Smile: 

----------

## erik258

Greetings once more from beyond the internet.  

I hope to decipher and copy/modify/use your script, once I have a few hours to work on this.  Thanks a ton, I will keep my eyes on it as it evolves.  

Thanks for the help.  I was kind of wondering why I had set up dhcpd and dnsmasq together... doesn't make much sense, does it.  Who knows what I was thinking ... if I recall correctly I wanted a commercial-grade dhcp server.  Why?  who knows - probably delusions of grandeur due to reading The Linux Administration Handbook.  

Hopefully I can get this working soon.  54Mbps G, here i come!

PS dhcpcd and dnsmasq don't inherently conflict, at least I don't think so, since I have dhcp services disables in dnsmasq.  But now that I have other more important things to configure, and better ways to make my life more complicated, I will take your advice to heart.  I very much love it when my network is "golden".

----------

