Copyright © 2000 Hugo Haas
$Id: wireless-lan.html 6342 2007-12-24 06:48:43Z larve $
This document describes how to set up a wireless LAN using Linux in order to share an Internet connection. It is called Wireless LAN at Home Howto because there is already a Wireless LAN Howto.
I wanted to share my Internet connection at home with my roomate, but we didn't want to bother with cables everywhere in the apartment. We therefore decided to go wireless, which would also allow us to move in our place freely with our laptops, as two happy geeks. :-)
I set up a solution based with one laptop running Linux doing masquerading, and it works great. The operation is not complex, but I thought that I would document it here, since it doesn't seem to be documented as such anywhere else.
I am a Debian user, so this Howto is somewhat Debian-oriented, but it is easy to do the same with any other distribution. I will also describe the case of cable modem, but PPP or DSL basically works the same way.
I decided to write this page in order to provide some quick information to set this up.
Before reading this, you should be familiar with:
We have one connection to our ISP, and we want to connect several computers. This is something straightforward with Linux and masquerading.
The idea is to connect a laptop to the Internet connection, and stick a wireless card into it so that it has two network interfaces and can act as a network address translation (NAT) box for the wireless LAN.
However, it requires some configuration on the wireless side: usually, the wireless cards talk to a base station which advertises itself, which is not the case here, so they need to be told how to talk together.
This section describes what you have to do to have everything running.
Here is the equipment you need:
Below is a diagram of what the network setup looks like.
This diagram is available as PNG
and SVG, although the SVG version
produced by dia and
sanitized by myself isn't that good.
This section describes what needs to be done to have the system working.
Again, this guide is Debian-oriented. It describes what needs to be done with Debian "potato" 2.2.
First, you should install Linux on the machine. The installation is described in the Debian installation guide. You should do an installation as skinny as possible: the less programs running, the better.
The PCMCIA modules in Debian 2.2 do not support the wireless cards (you need at least pcmcia-cs version 3.1.12) very well. Download from the unstable distribution:
With that installed, the laptop recognizes both network cards. It
now needs to know how to set them up. This is done by editing the
configuration files in /etc/pcmcia.
The network card connected to the cable modem must (most likely) request an IP address from the DHCP server, and the wireless card must use an IP address on a private network (say 192.168.1.1/255.255.255.0).
The cards are differentiated in the configuration files using their
MAC address. This address is given by cardmgr in
/var/log/syslog when the card is inserted.
If the wireless card has an MAC address starting with 11:22:33,
/etc/pcmcia/network.opts looks like:
case "$ADDRESS" in
*,*,*,11:22:33:*)
INFO="Wireless card"
# Transceiver selection, for some cards -- see 'man ifport'
IF_PORT=""
# Use BOOTP (via /sbin/bootpc, or /sbin/pump)? [y/n]
BOOTP="n"
# Use DHCP (via /sbin/dhcpcd, /sbin/dhclient, or /sbin/pump)? [y/n]
DHCP="n"
# If you need to explicitly specify a hostname for DHCP requests
DHCP_HOSTNAME=""
# Host's IP address, netmask, network address, broadcast address
IPADDR="192.168.1.1"
NETMASK="255.255.255.0"
NETWORK="192.168.1.0"
BROADCAST="192.168.1.255"
# Gateway address for static routing
GATEWAY=""
# Things to add to /etc/resolv.conf for this interface
DOMAIN=""
SEARCH=""
# The nameserver IP addresses specified here complement the
# nameservers already defined in /etc/resolv.conf. These nameservers
# will be added to /etc/resolv.conf automatically when the PCMCIA
# network connection is established and removed from this file when
# the connection is broken.
DNS_1=""
DNS_2=""
DNS_3=""
# NFS mounts, should be listed in /etc/fstab
MOUNTS=""
# If you need to override the interface's MTU...
MTU=""
# For IPX interfaces, the frame type and network number
IPX_FRAME=""
IPX_NETNUM=""
# Run ipmasq? [y/n] (see the Debian ipmasq package)
IPMASQ="n"
# Extra stuff to do after setting up the interface
start_fn () { /etc/init.d/ipmasq start; return; }
# Extra stuff to do before shutting down the interface
stop_fn () { /etc/init.d/ipmasq stop; return; }
# Card eject policy options
NO_CHECK="n"
NO_FUSER="n"
;;
*,*,*,*)
INFO="DHCP"
# Transceiver selection, for some cards -- see 'man ifport'
IF_PORT=""
# Use BOOTP (via /sbin/bootpc, or /sbin/pump)? [y/n]
BOOTP="n"
# Use DHCP (via /sbin/dhcpcd, /sbin/dhclient, or /sbin/pump)? [y/n]
DHCP="y"
# If you need to explicitly specify a hostname for DHCP requests
DHCP_HOSTNAME=""
# Host's IP address, netmask, network address, broadcast address
IPADDR=""
NETMASK=""
NETWORK=""
BROADCAST=""
# Gateway address for static routing
GATEWAY=""
# Things to add to /etc/resolv.conf for this interface
DOMAIN=""
SEARCH=""
# The nameserver IP addresses specified here complement the
# nameservers already defined in /etc/resolv.conf. These nameservers
# will be added to /etc/resolv.conf automatically when the PCMCIA
# network connection is established and removed from this file when
# the connection is broken.
DNS_1=""
DNS_2=""
DNS_3=""
# NFS mounts, should be listed in /etc/fstab
MOUNTS=""
# If you need to override the interface's MTU...
MTU=""
# For IPX interfaces, the frame type and network number
IPX_FRAME=""
IPX_NETNUM=""
# Run ipmasq? [y/n] (see the Debian ipmasq package)
IPMASQ="n"
# Extra stuff to do after setting up the interface
start_fn () { return; }
# Extra stuff to do before shutting down the interface
stop_fn () { return; }
# Card eject policy options
NO_CHECK="n"
NO_FUSER="n"
;;
esac
(ignore start_fn() and stop_fn() for now)
The wireless card then needs to be told that there is no base
station. This setup uses the Ad-Hoc demo mode of the ORiNOCO
cards. The new peer-to-peer mode (IBSS) is apparently not supported by
Linux. This is done by editing
/etc/pcmcia/wireless.opts:
case "$ADDRESS" in
*,*,*,11:22:33:*)
INFO="Wireless LAN"
# ESSID (extended network name) : My Network, any
ESSID="My example network"
# NWID/Domain (cell identifier) : 89AB, 100, off
NWID=""
# Operation mode : Ad-Hoc, Managed, Master, Repeater, Secondary, auto
MODE="Ad-Hoc"
# Frequency or channel : 1, 2, 3 (channel) ; 2.422G, 2.46G (frequency)
FREQ=""
CHANNEL=""
# Sensitivity (cell size + roaming speed) : 1, 2, 3 ; -70 (dBm)
SENS=""
# Bit rate : auto, 1M, 11M
RATE=""
# Encryption key : 4567-89AB-CD, s:password
KEY=""
# RTS threshold : off, 500
RTS=""
# Fragmentation threshold : off, 1000
FRAG=""
# Other iwconfig parameters : power off, ap 01:23:45:67:89:AB
IWCONFIG=""
# iwspy parameters : + 01:23:45:67:89:AB
IWSPY=""
# iwpriv parameters : set_port 2, set_histo 50 60
# This is only necessary if you are running a firmware more recent
# than 6.04, in which case you will need the new ORiNOCO driver
# included in Linux 2.4.
IWPRIV="set_port3 1"
;;
esac
At that point, the clients and the NAT box can talk together, and the NAT box can talk to the Internet, but the clients cannot. Masquerading needs to be activated.
On a Debian system, this is simply done by installing the ipmasq
package. In order to avoid problem, prevent it from running at
startup (rm -f /etc/rc?.d/ipmasq) and you should run it
when the wireless card is configured, hence the start_fn() and
stop_fn() functions above.
If you have to do this by hand, this is very simple with ipchains:
/sbin/ipchains -P forward DENY /sbin/ipchains -A forward -s 192.168.0.0/24 -j MASQ
ipmasq also adds paranoid rules so that your internal network is really secure behind the NAT box.
See the IP Masquerading Howto for more details.
Now the machines on the internal network can talk to the Internet.
The configuration of the clients is easy. They just need to have their wireless card aware that there is no base station. This is basically the same way as we did for the NAT box.
The gateway, as far as the clients are concerned, is the NAT box (192.168.1.1). More details about setting up the clients behind a NAT box can be found in the IP Masquerading Howto.
In order to make everyone's life easier, DHCP can be used as we are going to see in the next section.
We now have the wireless LAN basically running. A few services can be added to make life easier.
/etc/pcmcia/wireless.opts can be edited to add
encryption so that your neighbors don't use your network. See
iwconfig(8).
There are modules for masquerading Real Video, Quake, IRC,
etc. Those are not inserted in the kernel by default. This is done by
commenting out all in
/etc/ipmasq/modules.
In order to specify to the client the network configuration (gateway, name servers, IP address), DHCP can be used.
Just install a DHCP server (dhcp
package) and run it on the wireless
interface. /etc/init.d/dhcp's start function should look
like: start-stop-daemon --start --quiet --pidfile $DHCPDPID
--exec /usr/sbin/dhcpd -- wvlan0.
You can add /etc/init.d/dhcp start to
start_fn() for the wireless card in
/etc/init.d/network.opts.
You should edit /etc/dhcpd.conf according to your
parameters:
option domain-name "YOUR_DOMAIN";
option domain-name-servers YOUR_NAME_SERVERS;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.1;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.2 192.168.1.254;
}
By being behind a NAT box, the clients lose their auth capabilities. This can be fixed by installing an identd which supports masquerading, such as oidentd or midentd.
You can install different services on the NAT box to work as "proxies":
If you are running your NAT box as a router and nothing else, you can get rid of a lot of useless (and potentially vulnerable to security holes) services. Basically, you can remove everything you won't use (atd, cron, etc).
And in order to keep the laptop quiet, you can have its disk spin down when it's idle (i.e. most of the time) with noflushd.
You basically end up with a secure NAT box which can run on a sluggish machine without any problem: my setup runs on a P100 with 16MB of RAM; there are (including the kernel threads) 12 processes running occupying less then 3.5MB of RAM. :-)