Attachment 'Wireless-AP-from-laptop-HOWTO.txt'
Download 1 Wireless access point from laptop HOWTO.
2
3 How to create a wireless access point and router, from a laptop.
4
5 Krastyo Komsalov
6
7 http://komsalov.homelinux.org/
8 http://ca.linkedin.com/in/kkomsalov
9
10 <kkomsalov@gmail.NOSPAM.com>
11
12 2012-04-15
13 Revision History
14 Revision 2.0 2012-06-29 Revised by: Me
15 Changed the document title. Fixed a number of spelling
16 mistakes.
17 Revision 1.1 2012-01-01 Revised by: ME
18 Created first DocBooc version.
19 Revision 1.0 2011-10-09 Revised by: ME
20 First UNofficial release.
21
22 This is as simple as I managed to made it instruction how to
23 make wireless access point from a computer wit wireless
24 adapter.
25 __________________________________________________________
26
27 Table of Contents
28 About this document
29
30 .1. Copyright and License
31 .2. Translations
32 .3. Preface
33 .4. Acknowledgments
34 .5. Feedback
35 .6. Conventions used in this document
36
37 2. Introduction
38 3. Hardware description
39 4. Some possible network configurations
40
41 4.1. Keep your old router and append the Aspire inside,
42 providing two additional wireless networks.
43 Configuration (a.).
44
45 4.2. Using only Aspire as AP. Configuration (b.).
46 4.3. Bridging between the two private networks and NATing
47 only "Welcome" public network. Configuration (c.).
48
49 5. Initial Configuration (a.) - installation instructions for
50 all the necessary software for all configurations.
51
52 5.1. The easiest way of installing Slackware on Acer
53 Aspire One
54
55 5.2. Kernel configuration
56 5.3. Remote access - XDMCP
57 5.4. For consideration:
58 5.5. Necessary:
59 5.6. Optional programs:
60
61 6. Configuration (b.) - VLAN's and switches
62 7. Configuration (c.) - bridging
63 8. Clients setup - WPA and WPA2 with self-signed certificates.
64
65 8.1. Linux.
66 8.2. Mac OS X 10.7.2
67 8.3. Itouch.
68 8.4. Windows 7
69
70 9. Additional administrative tasks you may consider necessary.
71
72 9.1. Limit bad clients - bit torrent.
73 9.2. Traffic shaping
74 9.3. Cache DNS server.
75 9.4. Log configuration.
76
77 10. Some final words.
78 A. GNU Free Documentation License
79
80 A.1. GNU Free Documentation License
81 A.2. PREAMBLE
82 A.3. APPLICABILITY AND DEFINITIONS
83 A.4. VERBATIM COPYING
84 A.5. COPYING IN QUANTITY
85 A.6. MODIFICATIONS
86 A.7. COMBINING DOCUMENTS
87 A.8. COLLECTIONS OF DOCUMENTS
88 A.9. AGGREGATION WITH INDEPENDENT WORKS
89 A.10. TRANSLATION
90 A.11. TERMINATION
91 A.12. FUTURE REVISIONS OF THIS LICENSE
92 A.13. HOW TO USE THIS LICENSE FOR YOUR DOCUMENTS
93
94 About this document
95
96 .1. Copyright and License
97
98 Copyright (c) 2012 by Krastyo Komsalov.
99
100 Permission is granted to copy, distribute and/or modify this
101 document under the terms of the GNU Free Documentation License,
102 Version 1.1 or any later version published by the Free Software
103 Foundation; with no Invariant Sections, no Front-Cover Texts,
104 and with no Back-Cover Texts. A copy of the license is included
105 in Appendix A.
106 __________________________________________________________
107
108 .2. Translations
109
110 If you know of any translations for this document, or you are
111 interested in translating it, please email me
112 <kkomsalov@gmail.com>.
113 __________________________________________________________
114
115 .3. Preface
116
117 The main reason for writing this document is to share my
118 surprise of how easy it is to convert a laptop into a wireless
119 access point on Slackware.
120 __________________________________________________________
121
122 .4. Acknowledgments
123
124 I wish to express my gratitude towards my two sons Petko
125 Komsalov and Viktor Komsalov who helped me with the countless
126 hours of their time in the redaction of this guide. The
127 finalized form of this guide would not have been publishable,
128 if not for their advices and counseling during the rooting out
129 of inconsistencies and mistakes.
130 __________________________________________________________
131
132 .5. Feedback
133
134 Find something wrong with this document? (Or perhaps something
135 right?) I would love to hear from you. Please email me at
136 <kkomsalov@gmail.com>.
137 __________________________________________________________
138
139 .6. Conventions used in this document
140
141 The following typographic and usage conventions occur in this
142 text:
143
144 Table 1. Typographic and usage conventions
145 Text type Meaning
146 "Quoted text" Quotes from people, quoted computer output.
147 terminal view
148
149 Literal computer input and output captured from the terminal.
150 command Name of a command that can be entered on the command
151 line.
152 option Option to a command, as in "the -a option to the ls
153 command".
154 parameter Parameter to a command, as in "read man ls".
155
156 command optionsarguments
157 Command synopsis or general usage, on a separated line.
158 filename Name of a file or directory, for example "Change to
159 the /usr/bin directory."
160 Menu->Choice Choice to select from a graphical menu, for
161 instance: "Select Help->About Mozilla in your browser."
162 The author Click-able link to an external web resource.
163
164 Thanks to Machtelt "Tille" Garrels for this list of
165 conventions.
166 __________________________________________________________
167
168 2. Introduction
169
170 The main reason for writing this document is to share my
171 surprise of how easy it is to convert the Aspire One into a
172 wireless access point on Slackware and how good the Aspire One
173 hardware is for this. Accidentally, I happened to have some
174 free time and one three year old Aspire in my hands so I
175 decided to do something about my growing dissatisfaction with
176 my home router. I live in a crowded Wi-Fi area with over 30
177 access points coming from the apartments around me and my
178 router obviously has troubles with this. What I wanted was a
179 wireless router over which I will have full control of all
180 settings: log levels control, ability to install additional
181 software for traffic analysis, a decent iptables firewall,
182 RADIUS; in short a wireless router with full Linux installed on
183 it.
184
185 a. I chose to use Free RADIUS, since I wanted not only support
186 for WPA and the ability to append eventual access points
187 with roaming, but also the extensibility to any user data
188 base, from local flat files to LDAP. Hostapd has its own
189 integrated RADIUS, but the freedom of having FreeRADIUS was
190 so tempting; besides the setup with flat ASCII users file
191 is really easy. In this configuration RADIUS is set up to
192 use files.
193 b. Ipv6 and DNSSEC are here to stay and no embedded router has
194 all the functionality which I have with Linux. Ipv6 and
195 DNSSEC configuration is not included in this HOWTO guide,
196 but the freedom to configure them is there.
197 c. I wanted to have not only a standard firewall, but the full
198 power of iptables. A simple functionality like SSH tunnels
199 that allows home access from school for my kids is tricky
200 with my router and traffic shaping is simply not available.
201 For this reason the Firewall Builder is included in this
202 configuration with a basic rule set. I think it is by far
203 the best firewall management solution on the market and it
204 is free for Linux users.
205 d. I wanted to have at least two wireless networks "different
206 ssid", to open safely one of them and share some of my
207 bandwidth with my neighbours. This I hope will make me feel
208 less ripped-off next time I pay my internet bill.
209 e. The other solution OpenWrt had two disadvantages: my router
210 is too weak to support OpenWrt and any router that is
211 powerful enough for everything that I want will cost nearly
212 as much or more then the Aspire; which I already have.
213 __________________________________________________________
214
215 3. Hardware description
216
217 My Acer Aspire One has a Model KAV10, which is one of Acer's
218 oldest models. Since then Acer has produced many new models,
219 but the only important part for this configuration is the model
220 of the wireless adapter within it. From what I found Acer has
221 been changing the adapter in nearly all newer models of Aspire.
222 All the models I checked come with a different adapter made by
223 Atheros (although its important to verify the producer). If you
224 are thinking of buying the laptop, check in advance its
225 wireless adapter. For mine, lspci and dmesg are giving this:
226 bash-4.1# lspci
227 01:00.0 Ethernet controller: Atheros Communications Inc. AR5001
228 Wireless Network Adapter (rev 01)
229 03:00.0 Ethernet controller: Atheros Communications AR8121/AR8113/AR8114
230 Gigabit or Fast Ethernet (rev b0)
231 bash-4.1# dmesg |grep Atheros
232 [ 10.367156] ath5k phy0: Atheros AR2425 chip found (MAC: 0xe2, PHY: 0x
233 70)
234
235 This is really good news as it seems that Atheros is one of the
236 best supported adapters on Linux (the people from The MadWifi
237 project are doing excellent work).
238
239 Surprisingly Windows is giving different information:
240
241 [Atheros_win.jpg]
242
243 If it turns out that your adapter is different from mine, you
244 will have to investigate further in order to be sure it
245 supports AP mode. To accomplish this you will need the "iw"
246 command. You probably have it already, but for the source and
247 some documentation go to:
248 http://linuxwireless.org/en/users/Documentation/iw. The most
249 informative syntax is:
250
251 iw list
252
253 It will give you a pretty long output. In it look for the part
254 that is similar to the following:
255 Supported interface modes:
256 * IBSS
257 * managed
258 * AP
259 * AP/VLAN
260 * monitor
261 * mesh point
262 Supported commands:
263
264 If there is a line "* AP" it is good news, you have the
265 necessary AP support for hostapd.
266
267 If it turns out that your chipset is different from mine you
268 can check if it is supported on the MadWifi website. The
269 MadWifi website is also by far the best source of documentation
270 I have found. This will be one of your primary sources of
271 knowledge when you decide to adjust to your needs, experiment
272 or simply improve the configuration given below.
273
274 If you do not have Linux already installed, you can boot it
275 from Slackware or SystemRescueCd USB stick and do some
276 investigation on your Aspire.
277
278 The model of my old router "Linksys SRX 200" shown as part of
279 two of the three configurations is not important. You may use
280 any wireless router if you have any or avoid using it at all if
281 you decide to permanently dedicate the Aspire as your Wireless
282 router.
283 __________________________________________________________
284
285 4. Some possible network configurations
286
287 4.1. Keep your old router and append the Aspire inside, providing two
288 additional wireless networks. Configuration (a.).
289
290 [2AP3net_masq.jpg]
291
292 In this configuration the Ethernet port of the Aspire is
293 connected directly to "SRX 200". This solves the problem of
294 Aspire having only one Ethernet port. Two Ethernet ports
295 required are one for the Internet link the other for the
296 internal switch to provide Internet access to Ethernet
297 connected computers. The two wireless networks are NAT'ed to
298 the 192.168.1.55 IP address. The reason for this is not only to
299 put ssid "Welcome" in a separate network and simplify
300 firewalling, but also to resolve some NAT and routing problems.
301 First the devices in 192.168.1.0/24 must have a route to
302 192.168.11.0/24. I had no problem adding routes within Linux
303 and Solaris, but my network printer simply has no such thing as
304 a routing table in its web interface. Second, appending the
305 route in "SRX 200" is not a problem, but "SRX 200" refuses to
306 NAT any other network than the one connected to its interface.
307 This is probably solvable by sub-networking its network, but I
308 think the next configurations (b.) and (c.) are better
309 solutions. Even with all its disadvantages, I think this
310 configuration is the best starting point as it will not cause
311 any disruptions or changes in your current setup until all
312 configurations on Aspire are done and tested; then it can
313 easily be converted to any other.
314 __________________________________________________________
315
316 4.2. Using only Aspire as AP. Configuration (b.).
317
318 [Aspire_only.jpg]
319
320 This configuration is setting you free from any later worries
321 and is the optimal variant, but there is a price to pay. Since
322 the Aspire has only one Ethernet adapter you have to append a
323 second one. There are two solutions. The first one "shown on
324 the picture" is to use an intelligent or managed switch to VLAN
325 the eth0. The second one is to use a USB to Ethernet adapter,
326 to convert one of the USB ports to Ethernet. The drawback of
327 the switch solution is that it is much more expensive, though
328 it has the advantage of speed, stability and simplicity. The
329 USB to Ethernet adapter is much cheaper, but it comes with a
330 doubtful Linux driver support and uncertain speed and
331 reliability. There is one more small detail to mention:
332 depending what kind of Internet connection you have there will
333 be different setups for the uplink adapter. If you use a cable
334 connection than it simply has to be on DHCP. In the case of
335 ADSL (my case) you will need to configure a PPPoE. On Slackware
336 you simply have to run a pppoe-setup script.
337 __________________________________________________________
338
339 4.3. Bridging between the two private networks and NATing only
340 "Welcome" public network. Configuration (c.).
341
342 [2AP3net_Bridge.jpg]
343
344 In this configuration the interfaces eth0 and wlan0 are
345 bridged. The network 192.168.1.0/24 can be accessed either
346 through "kristo" or "Acer_A1" ssid. The DHCP server on the
347 Aspire is bind only to the wlan0_0 interface. NAT to
348 192.168.1.55 is only done for 172.17.0.0/16. The computers
349 assessing the 192.168.1.0/24 network through ssid "Acer_A1" are
350 getting IP addresses from the DHCP server on "SRX 200". Other
351 solutions will be available if the DHCP server on "SRX 200" was
352 more manageable. For example, instead of bridging the two parts
353 of 192.168.1.0/24, it will be more elegant to subnet
354 192.168.1.0/24 and setup a DHCP helper for the part in ssid
355 "Acer_A1".
356
357 This configuration has two advantages. The first is that it
358 avoids both, the routing problem of the solution (a.) and the
359 consequent NAT'ing of the "Acer_A1". Second, it allows the
360 Aspire to be turned off while networking remains through your
361 old router. If you can't afford to dedicate your Aspire as AP,
362 this is the best configuration. It provides a stable network
363 when you do not need the Aspire and allows you to disconnect
364 the Aspire from the network for personal use, while preserving
365 a functional network.
366 __________________________________________________________
367
368 5. Initial Configuration (a.) - installation instructions for all the
369 necessary software for all configurations.
370
371 I installed all the necessary programs from the source in
372 /usr/local. I left some configuration files in /usr/local/etc
373 and moved some in /etc/. There are Slackware packages on
374 SlackBuilds.org or you can make your own if you decide it is
375 worth the effort, considering that installing it from source is
376 easier.
377 __________________________________________________________
378
379 5.1. The easiest way of installing Slackware on Acer Aspire One
380
381 his chapter is probably unnecessary, but I love to preach about
382 Slackware.
383
384 You need a Linux FTP server, to host a Slackware and a USB
385 stick.
386
387 First you have to create a Slackware mirror by getting the
388 script mirror-slackware-current.sh from Alien Pastures and
389 running it. The script will put the mirror by default in the
390 /home/ftp directory, which is exactly where you need it for the
391 last step.
392
393 After this is done insert a USB stick, go to the directory
394
395 /home/ftp/pub/Linux/Slackware/slackware-current/usb-and-pxe-ins
396 tallers
397
398 unmount the USB if it is mounted and run the script to make a
399 startup USB.
400 /home/ftp/pub/Linux/Slackware/slackware-current/usb-and-pxe-installers
401 dmesg |grep sd
402 [86504.700524] sdb: sdb1
403 [86504.708517] sd 6:0:0:0: [sdb] Assuming drive cache: write through
404 umount /dev/sdb1
405 sh usbimg2disk.sh -i usbboot.img -o /dev/sdb
406
407 Boot from the USB and install the Slackware. Here is the how to
408 do it: http://www.slackbook.org/html/installation.html. Use a
409 network cable (makes things easier) to connect the laptop to
410 the network, you will need it anyway to access the machine
411 during the configuration of the access point, and after as your
412 uplink.
413 __________________________________________________________
414
415 5.2. Kernel configuration
416
417 It is a good idea to start by recompiling your kernel. Click on
418 .config to download my configuration file in /usr/src/linux.
419 This is not a fully optimized version and only the processor is
420 set to Intel Atom and some obviously unnecessary stuff is
421 removed. I chose not to put here a version that is too
422 customized to my needs. I used the -j 8 option since it makes
423 bzImage and modules faster. It seems -j 8 gives the best
424 results, but on the first compilation you will not have this
425 advantage. Anyway it will take forever to compile even with the
426 -j 8 option. It is important not to forget to reinstall the
427 MadWifi drivers, if someday you decide to optimize your kernel.
428
429 In case you want to keep Windows and resize its partition, the
430 best solution is SystemRescueCd. Follow the instructions for
431 installing it on a USB stick from here
432 http://www.sysresccd.org/Sysresccd-manual-en_How_to_install_Sys
433 temRescueCd_on_an_USB-stick. It is a good idea to archive the
434 partitions of your Aspire, in case you decide to return it back
435 to the current state someday; if you can afford the space to
436 keep the images.
437 __________________________________________________________
438
439 5.3. Remote access - XDMCP
440
441 Depending on how comfortable you feel with the small keyboard
442 and monitor of Aspire, you may consider enabling XDMCP. Here is
443 good guide of how to do it:
444 http://alien.slackbook.org/blog/running-x-window-on-ms-windows/
445 . If you have CygWin already installed you would not need to
446 install X-Server, simply run
447
448 xwin -queryAspire.IP.address
449
450 from a CygWin terminal.
451 __________________________________________________________
452
453 5.4. For consideration:
454
455 FreeRadius http://freeradius.org/ - Formally RADIUS support is
456 necessary only if you want the following capabilities: having
457 WPA Enterprise authentication, being able to append more access
458 points or authentication against external user data bases like
459 LDAP or Novell eDirectory. It is also important to consider the
460 choice between the standalone RADIUS server and the hostapd
461 integrated RADIUS support. With so many choices, I thought it
462 is a good idea to explain my arguments for choosing FreeRadius.
463 First of all WEP in its 128 bit version is acceptable for home
464 security, but it is so easy to configure that it takes away all
465 the fun from the task. In its most basic configuration
466 FreeRadius is really easy to install and configure, which means
467 that obtaining WPA requires only a modest amount of effort.
468 Configuring RADIUS is certainly not easy (it requires a lot of
469 patience) and it may take days to set it up as a DAP gateway,
470 but it is a five minutes work in the simplest scenario as in
471 the example here with flat ASCII files. I suspect that using
472 the hostapd integrated RADIUS allows for a lower CPU load than
473 a separate RADIUS server and this has to be considered for
474 small embedded routers. FreeRadius though has low processing
475 requirements so the dedicated Aspire can easily run it.
476
477 If you opt for FreeRadius, you can download the latest version
478 from http://freeradius.org/download.html. I used the
479 freeradius-server-2.1.11 version. The installation is as simple
480 as typing the command ./configure, make, make install. The
481 following instructions can be used to configure RADIUS
482 http://wiki.freeradius.org/Basic-configuration-HOWTO. If you
483 used ./configure without additional options the "users" file
484 will be created in "/usr/local/etc/raddb".
485
486 * First, create some users, simply by appending at the end of
487 the "user" file something like: User1 Cleartext-Password :=
488 "password1" Second, change the "secret=12345:-)"
489 * Second, change the "secret=12345:-)" statement in the
490 clients.conf. No further actions are needed since all
491 communications in this configuration are going through the
492 looback address that is configured by default.
493 * Third, copy the rc.radiusd script from the
494 freeradius-server-2.1.11/scripts to /etc/rc.d/. Run the
495 first tests of your newly installed RADIUS server with
496 "radiusd -X". Once you are satisfied, insert the line
497 "/etc/rc.d/rc.radiusd start" in the "/etc/rc.d/rc.local"
498 file. Create the file "/etc/rc.d/rc.local_shutdown", make
499 it executable and put the corresponding
500 "/etc/rc.d/rc.radiusd stop" in it. From now on, if there
501 are problems with RADIUS you will look in
502 /usr/local/var/log/radius. There is also a lot of
503 authentication related information in
504 /usr/local/var/log/radius/radacct/127.0.0.1.
505 * Finally, the default self-signed certificates generated
506 during the installation in "/usr/local/etc/raddb/certs" are
507 good, but if you want your self-signed certificates to show
508 something different you can generate your own. All of the
509 certificates are located in the RADIUS sub-directory
510 "certs".
511 __________________________________________________________
512
513 5.5. Necessary:
514
515 * MadWifi project
516 http://madwifi-project.org/
517 * hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS
518 Authenticator
519 http://hostap.epitest.fi/hostapd/.
520
521 I used hostapd-0.7.3 and madwifi-0.9.4-r4167-20110827.
522
523 First, I installed MadWifi since there is a remark about
524 hostapd in README-WPS mentioning that hostapd needs
525 specifications about the location of the MadWifi libraries. All
526 the instructions for installing MadWifi are found within the
527 INSTALL file of the source. Look in the README file in the
528 source for the necessary kernel configuration. Make the
529 necessary changes in your kernel or simply use my kernel
530 .config. The only thing not mentioned that I thought necessary
531 to do is to enter "make install" at the end, simply to be sure
532 all is on place.
533
534 Second I installed hostapd. Here comes the most sophisticated
535 part of the whole installation. Within the source directory
536 (wherever you extracted it), there is a subdirectory hostapd.
537 You need a .config file in order to compile the file. Copy the
538 defconfig file to the .config file in the same directory and
539 then edit the .config file. Its editing depends on the
540 configuration that you want to build and types of
541 authentication that you plan to support. There are many
542 important options that need consideration when editing the
543 .congif file. For example, do you want RADIUS and if yes with
544 what kind of support etc. These are the changes I made to my
545 .config:
546
547 CONFIG_DRIVER_MADWIFI=y
548 CFLAGS += -I/tmp/2/madwifi-0.9.4-r4167-20110827 # change to the madwifi
549 source directory
550 CONFIG_DRIVER_NL80211=y
551 CONFIG_WPS=y
552 CONFIG_WPS_UPNP=y
553 CONFIG_RADIUS_SERVER=y
554 CONFIG_IEEE80211R=y
555 CONFIG_DRIVER_RADIUS_ACL=y
556 CONFIG_IEEE80211N=y
557
558 And here is the link to get my .config which I called
559 "hostapd.config" to avoid confusion with the kernel .config.
560 Copy it in the hostapd subdirectory and rename it .config and
561 then "make", "make install". Change the path to the MadWifi
562 libraries depending on your installation location choice.
563 CFLAGS += -I/tmp/2/madwifi-0.9.4-r4167-20110827
564
565 I strongly recommend reading my file and also the README and
566 README-WPS that are in the same directory even if you simply
567 decide to use my configuration file. This will give you better
568 understanding and may also spark ideas for interesting
569 experiments. If you decide to dig deeper, check the
570 dependencies between the variables in the Makefile "ifdef
571 constructions". Follow the "Matrix" movie's advice and "Go to
572 the source".
573
574 Create the /etc/hostapd/ directory and copy in it at least the
575 hostapd.conf file (do not confuse it with my hostapd.config it
576 is a copy of my .config for hostapd) from the source directory.
577 This is the changes for configuration (a.):
578 #driver=madwifi
579 #ctrl_interface_group=0
580 #ssid=test
581 ssid=Acer_A1
582 hw_mode=g
583 channel=11
584 ieee8021x=1
585 eapol_key_index_workaround=1
586 nas_identifier=komsalov.homelinux.org
587 auth_server_addr=127.0.0.1
588 auth_server_port=1812
589 auth_server_shared_secret=12345:-)
590 acct_server_addr=127.0.0.1
591 acct_server_port=1813
592 acct_server_shared_secret=12345:-)
593 wpa=1
594 wpa_key_mgmt=WPA-EAP
595 wpa_pairwise=TKIP
596 wpa_group_rekey=300
597 wpa_gmk_rekey=640
598 bss=wlan0_0
599 ssid=Welcome
600
601 You may need to copy some other files and eventually create
602 some if you decide to change the configuration and of course
603 fix the path to them in hostapd.conf. Here is my hosapd.conf
604 for the network configuration (a.). It can be used as it is,
605 the only absolutely necessary change is to put your RADIUS
606 secret.
607 auth_server_shared_secret=12345:-)
608 acct_server_shared_secret=12345:-)
609
610 At first run hostapd in the terminal, like that:
611 /usr/local/bin/hostapd -dd /etc/hostapd/hostapd.conf
612
613 You can either start directly with my file or with the example
614 file from the source directory first. The example file will
615 create one open network with ssid=test, giving you some
616 confidence. It is a good idea to begin like this before setting
617 up the DHCP server and eventually masquerading with the
618 firewall. This will help you pinpoint the problems that need to
619 be fixed. If you start two or more encrypted ssid's, DHCP, DNS
620 and the firewall at once, it will be harder to identify the
621 source of the eventual problems. It will also be good to test
622 the configuration with any wireless client, but Windows, even a
623 simple iPod would be better. Configuring Windows to work with
624 RADIUS self-signed keys for WPA is a bit tricky and it is hard
625 to pinpoint what gives you the problem, the client or the AP.
626 There are two things you may consider here: to use CCMP instead
627 of TKIP and to switch from WPA to WPA2. I decided to leave this
628 decision for configuration (c.), because this is the one I will
629 keep until I can afford to dedicate my Aspire to configuration
630 (b.).
631
632 You can get the rc.hostapd from
633 http://slackbuilds.org/repository/13.0/network/hostapd/, after
634 you get bored looking on the hostapd in a terminal and running
635 it manually. Put the rc.hostpd in the /etc/rc.d directory, fix
636 the paths in it, call it from /etc/rc.d/rc.local and stop it
637 from rc.local_shutdown.
638
639 At this state your rc.local should look like this:
640 #!/bin/sh
641 #
642 # /etc/rc.d/rc.local: Local system initialization script.
643 #
644 # Put any local startup commands in here. Also, if you have
645 # anything that needs to be run at shutdown time you can
646 # make an /etc/rc.d/rc.local_shutdown script and put those
647 # commands in there.
648
649
650 /etc/rc.d/rc.radiusd start
651
652
653 /sbin/ifconfig wlan0 up
654 /sbin/iwconfig wlan0 channel auto
655
656
657 route add default gw 192.168.1.1
658
659
660 /sbin/ifconfig wlan0 192.168.11.1
661
662
663 /etc/rc.d/rc.hostapd start
664
665
666 /sbin/ifconfig wlan0_0 172.17.0.1
667
668
669 /usr/sbin/dhcpd wlan0 wlan0_0
670
671
672 #EOF
673
674 And your rc.local_shutdown:
675 #!/bin/sh
676 #
677
678 /etc/rc.d/rc.hostapd stop
679
680
681 /etc/rc.d/rc.radiusd start
682
683 #EOF
684
685 The "/sbin/ifconfig wlan0 up ; /sbin/iwconfig wlan0 channel
686 auto" commands in rc.local should not be necessary, but if you
687 do not give them you will get an error when hostapd sets the
688 channel.
689
690 Here is my simple dhcpd.conf file:
691 authoritative;
692 ddns-update-style none;
693
694
695 default-lease-time 604800;
696 # 7 days 7*86400
697
698
699 max-lease-time 2592000;
700 # 30 days 30*86400
701
702
703 subnet 192.168.11.0 netmask 255.255.255.0 {
704 range 192.168.11.10 192.168.11.100;
705 range 192.168.11.150 192.168.11.200;
706
707
708 option domain-name "mydomain.org";
709 option broadcast-address 192.168.11.255;
710 option routers 192.168.11.1;
711 option domain-name-servers 192.168.11.1, 207.164.234.193, 207.164.234.12
712 9;
713
714
715 }
716
717
718 subnet 172.17.0.0 netmask 255.255.0.0 {
719 range 172.17.0.10 172.17.255.250;
720
721
722 option domain-name "mydomain.org";
723 option broadcast-address 172.17.255.255;
724 option routers 172.17.0.1;
725 option domain-name-servers 172.17.0.1, 207.164.234.193, 207.164.234.129;
726
727
728 }
729
730
731 #log-facility local7;
732
733 I decided to have a caching DNS server on the Aspire; it is not
734 mandatory, but it is necessary to put your DNS servers in the
735 dhcpd.conf.
736 __________________________________________________________
737
738 5.6. Optional programs:
739
740 Firewall builder by NetCitadel http://www.fwbuilder.org/ Having
741 a firewall is not exactly an option, but you will have to do
742 some NAT with iptables anyway. Of course you may do it manually
743 but I strongly recommend Firewall Builder. It is from my point
744 of view by far the best firewall management solution on the
745 market and is free on Linux. Here is a simple script acerap.fw
746 generated with it for the configuration (a.), as an example. On
747 Slackware, download the source and compile it and then run
748 ldconfig after using "make install".
749
750 Wireshark - http://www.wireshark.org/ Wireshark is unnecessary
751 for the current configuration, but at some moment you certainly
752 will want to know what is going on. As you are anyway in the
753 process of downloading and compiling, install it to have it on
754 hand when necessary. I recommend that you put at least
755 "./configure --enable-threads" if no other option. It improves
756 performance and the program remains stable.
757 __________________________________________________________
758
759 6. Configuration (b.) - VLAN's and switches
760
761 For this configuration I used a Cisco Catalyst 2900 XL switch.
762 I am on Bell Sympatico ADSL with SpeedStream 5360 Ethernet ADSL
763 modem, which is actually only a bridge. It turned out that it
764 does not matter how I configured the port of the Cisco
765 Catalyst, it did not detect the SpeedStream. Finally, I gave up
766 and used one small 5 port TrendNet TE100-SS/CA switch in
767 between them. Since all SpeedStream 5360's are gone nowadays,
768 you probably will not have this problem. DSL modems nowadays
769 are actually routers and have integrated PPPoE support and for
770 this configuration it is only necessary to VLAN the switch and
771 eth0. I used a Cisco Catalyst (which is actually not so bad)
772 only because this is what I managed to borrow, but if you are
773 thinking of buying a switch look for something better.
774
775 I configured two additional VLAN's on it:
776 I configured two additional VLAN's on it:
777 VLAN Name Status Ports
778 ---- -------------------------------- --------- ------------------------
779 -------
780 1 default active Fa0/2, Fa0/3, Fa0/4, Fa0
781 /5,
782 Fa0/6, Fa0/7, Fa0/8, Fa0
783 /13,
784 Fa0/14, Fa0/15, Fa0/16,
785 Fa0/20,
786 Fa0/21, Fa0/22, Fa0/23,
787 Fa0/24
788 2 VLAN0002 active Fa0/9, Fa0/10, Fa0/11, F
789 a0/12
790 3 VLAN0003 active Fa0/17, Fa0/18, Fa0/19
791
792 Port FA01 is a tagged port. I am not giving the detailed
793 commands to set it up, since they will depend on whatever
794 switch model you have.
795
796 From the side of Linux it is really easy; type the commands:
797 ifconfig eth0 0.0.0.0
798
799 (to remove the IP address from eth0)
800 ip link add link eth0 name eth0.1 type vlan id 1
801 ip link add link eth0 name eth0.2 type vlan id 2
802 ifconfig eth0.1 up
803 ifconfig eth0.2 up
804
805 Of course in "vlan id NN" the NN will have to be replaced with
806 your VlanID. In my case the new IP addresses are set back like
807 this:
808 ifconfig eth0.1 0.0.0.0
809 ifconfig eth0.2 192.168.1.55 netmask 255.255.255.0
810
811 If you like you can go with something more traditional like
812 192.168.1.1 for your future default gateway. I used eth0.1 as
813 the uplink. If you want your physical wireless and wired
814 networks to be in the same network, to mimic the behavior of
815 the commercial routers, you can bridge eth0.2 and wlan0. Check
816 configuration (c.) below for help with bridging. The only real
817 reason you may want this is to use Microsoft (TM)workgroup
818 network, though in this case you should consider installing
819 Samba as a master browser on the Aspire.
820
821 In my case I had to setup PPPoE by running the pppoe-setup
822 script. This will not be necessary for most people, but if it
823 is for you than pay attention to the last question (asked by
824 the pppoe-setup script) and answer it depending on the firewall
825 management you choose. You may encounter additional MTU auto
826 discovery problems with Internet providers such as Bell
827 Sympatico. If it turns out that you are able to ping external
828 machines, but browsing barely works if at all, you will have to
829 use some commands like the next one in your firewall script:
830 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss
831 -to-pmtu
832
833 In case you decide to use the Firewall Builder, it is only a
834 matter of checking the check box "Clamp MSS to MTU" in firewall
835 settings. If you want to know more about this problem check
836 "Linux Advanced Routing & Traffic Control HOWTO".
837
838 I implemented the configuration with a manageable switch rather
839 than the one with the USB to Ethernet converter, since to start
840 with I have no such device. The second problem with such
841 devices is actually making them work. Finally I have
842 difficulties believing the advertised speeds of all USB to
843 Ethernet converters that the manufacturers claim.
844 __________________________________________________________
845
846 7. Configuration (c.) - bridging
847
848 I chose to stay with this configuration for now, since it
849 allows me to pull my Aspire out of the network from time to
850 time without loosing Internet connectivity. When travelling, I
851 use my Aspire as a GPS device in combination with a USB
852 connected satellite antenna.
853
854 These are the commands given in the necessary order placed
855 inside the /etc/rc.d/rc.local file:
856 #!/bin/sh
857 #
858 # /etc/rc.d/rc.local: Local system initialization script.
859 #
860 # Put any local startup commands in here. Also, if you have
861 # anything that needs to be run at shutdown time you can
862 # make an /etc/rc.d/rc.local_shutdown script and put those
863 # commands in there.
864
865 /etc/rc.d/rc.radiusd start
866
867 /sbin/ifconfig wlan0 up
868 /sbin/iwconfig wlan0 channel auto
869
870 /etc/rc.d/rc.hostapd start
871
872 /sbin/ifconfig wlan0_0 172.17.0.1
873
874 /sbin/ifconfig eth0 up
875 /sbin/ifconfig wlan0 up
876
877 /usr/sbin/brctl addbr br0
878 /sbin/ifconfig br0 up
879 /usr/sbin/brctl addif br0 eth0
880 /usr/sbin/brctl addif br0 wlan0
881
882 /sbin/ifconfig br0 192.168.1.55
883
884 /sbin/route add default gw 192.168.1.1
885
886 /usr/sbin/dhcpd wlan0_0
887
888 /etc/rc.d/firewall/acerap_br.fw
889 /etc/rc.d/rc.traffic_shaping start
890
891 /etc/rc.d/rc.bind restart
892
893 #EOF
894
895 The part that concerns bridging is in bold. Bridging on Linux
896 is really easy and it should not cause you any troubles. The
897 spanning tree should be off as it is by default. Turn it on
898 only if you really know what you are doing. The dhcpd is bound
899 only to the wlan0 to serve 172.17.0.0/16 addresses to the
900 Welcome network. The network with the Acer_A1 ssid is getting
901 its IP addresses from the "Linksys SRX 200" DHCP server trough
902 the bridge (it transfers broadcasts transparently). The
903 rc.traffic_shaping script is for traffic shaping which turned
904 out to be necessary, because some of the clients in Welcome
905 misbehaved (see 6. Additional administrative tasks).
906
907 Of course you will need a firewall as well, so here is the
908 acerap_br.fwb file created with the FWbuilder project and the
909 script acerap_br.fw it generated, really basic, but a good
910 starting point. I decided to switch to WPA2 after using this
911 configuration for about one month. This required only a change
912 of wpa=1 in /etc/hostapd.conf to wpa=2 and a restart of the
913 hostapd. I was worried about the amount of work necessary to
914 reconfigure all clients, but it turned out that only some small
915 changes to the Windows clients are required.
916 __________________________________________________________
917
918 8. Clients setup - WPA and WPA2 with self-signed certificates.
919
920 8.1. Linux.
921
922 Slackware comes with Wicd in
923 /Slackware/slackware-current/extra/wicd directory and it works
924 fine, so simply install it. Most other collections seem to be
925 using NetworkManager, but anyway there are no problems.
926 __________________________________________________________
927
928 8.2. Mac OS X 10.7.2
929
930 When I first tried to connect it showed a message stating that
931 the certificate is not from a known authority and offered me a
932 check box to accept it permanently, then it asked for the
933 username and password and worked fine after. There is a key
934 management program in Mac OS's utilities called Key Chain
935 Access. Here I marked the certificate as trusted and it became
936 green. I am not sure if this was necessary, but I wanted to be
937 on the safe side. I found an instruction that recommended
938 installing manually and in advance the certificate, but it
939 turned out that Mac does it for you. When you decide to use
940 WPA2 there will be no need to even touch a Mac. It detects the
941 change in the access point and reacts accordingly by
942 readjusting its settings and even reusing the username and
943 password from the previous configuration.
944 __________________________________________________________
945
946 8.3. Itouch.
947
948 I asked my son to do it, since I only have second hand
949 experience with those devices. Besides I did not want to look
950 for my glasses. It behaved the same way as the Mac, it asked me
951 to accept the certificate and then asked me for the username
952 and password.
953 __________________________________________________________
954
955 8.4. Windows 7
956
957 Do not expect to get a question about the certificate at this
958 point. You will have to install the certificate in advance by
959 yourself. Go to /usr/local/etc/raddb/certs/ to get it, I used a
960 USB stick. The instructions, I found online, are to create the
961 connection manually and install the certificate as soon as the
962 network connection setuping wizard reaches the point of asking
963 you for them. This did not help and Windows continued to
964 complain about the certificate. I installed it through the
965 Internet options section within the Control Panel, but this did
966 not help either. I played with the check boxes "the best
967 Windows approach isn't it?", and did some googling. Suddenly it
968 worked and when I tried to connect asked me to accept the
969 certificate (the same one which I installed and marked in
970 advance as trusted in all the possible places!!!) This is the
971 picture with the certificate's options.
972
973 [Windows_WPA_setup_576.jpg]
974
975 As if this is not enough you need to do the same for all the
976 users on each Windows machine, even with the same laptop the
977 procedure for each user will be similar but unique. The only
978 advice I have is to be persistent and it will work. If you
979 google the problem you will find that some people simply got
980 around the problem by buying certificates obviously it comes
981 cheaper for big number of laptops, but maybe quitting Windows
982 is better.
983
984 If you decide to use WPA2 Windows 7 will work fine, but it will
985 not detect the change automatically. The properties change
986 shown on the the picture above will work. The encryption should
987 remain TKIP. Windows 7 will ask for the username and password
988 and then it should work fine.
989 __________________________________________________________
990
991 9. Additional administrative tasks you may consider necessary.
992
993 9.1. Limit bad clients - bit torrent.
994
995 It did not take more than a couple of days for around thirty of
996 my neighbors to start using the open "Welcome" network. Most of
997 them turned to being modest doing mostly mail and some surfing,
998 but two or three bittorrent fans turned out to be a problem. If
999 you decide to provide some Internet for your neighbors you
1000 certainly should do something about this problem.
1001
1002 You have at least two options: l7-filter from
1003 http://l7-filter.clearfoundation.com/ and ipp2p from
1004 http://www.ipp2p.org/. During one time or another I used both
1005 of them and the results are relatively similar. I still prefer
1006 ipp2p as I believe it is less CPU consuming. The project web
1007 page claims that the project is discontinued. This is not
1008 exactly true, it is only discontinued as a separate project for
1009 the external module. It was moved to patch-o-matic which is
1010 today defunct. Nowadays after netfilter.org discontinued
1011 patch-o-matic, it was moved to xtables-addons and netfilter.org
1012 is still support it. First, do not forget to install libmnl
1013 from
1014 http://www.netfilter.org/projects/xtables-addons/index.html and
1015 then the xtables-addons. Then you will need something like
1016 this:
1017 $IPTABLES -N Bittorrent
1018 $IPTABLES -t mangle -N Bittorrent
1019 $IPTABLES -t mangle -A PREROUTING -s 172.17.0.0/16 -m ipp2p --bit -j Bit
1020 torrent
1021 $IPTABLES -A INPUT -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
1022 $IPTABLES -A OUTPUT -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
1023 $IPTABLES -A FORWARD -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
1024 $IPTABLES -A Bittorrent -j LOG --log-level info --log-prefix "Bittorre
1025 nt "
1026 $IPTABLES -t mangle -A Bittorrent -j LOG --log-level info --log-prefix
1027 "Bittorrent m "
1028 $IPTABLES -A Bittorrent -j DROP
1029 $IPTABLES -t mangle -A Bittorrent -j DROP
1030
1031 Most of these commands are unnecessary, just doing:
1032 iptables -t mangle -A PREROUTING -s 172.17.0.0/16 -m ipp2p --bit -j DROP
1033
1034 will do most of the job. You simply put it before the line
1035 iptables -A XXXXX -m state --state ESTABLISHED,RELATED -j ACCEPT
1036
1037 to get it working.
1038
1039 Anyway, do not expect too much from it, or from l7-filter for
1040 that matter. They will slow down bittorrent clients
1041 significantly, but both have problems recognizing encrypted
1042 connections. At least the bittorrent clients for sure will not
1043 be able to kill anymore all other connections. If you are not
1044 satisfied with the results of the solution just described you
1045 should combine it with traffic shaping (next paragraph).
1046 __________________________________________________________
1047
1048 9.2. Traffic shaping
1049
1050 The decision to spend time to setting up and fine tuning
1051 traffic shaping depends on: the type of Internet connection
1052 used, the number of clients you have, their behavior and most
1053 important, will you provide some Internet for your neighbors.
1054
1055 If you have a relatively fast and symmetric connection you have
1056 nothing to worry about, but if you are on something like ADSL
1057 and your provider has an illicit behavior than moving the queue
1058 to your machine makes a real difference. You can read about the
1059 reasons for getting control over your queue here "The Ultimate
1060 Traffic Conditioner".
1061
1062 It is important to mention that since "Linux Advanced Routing &
1063 Traffic Control HOWTO" was written, lots of things have
1064 changed, though probably the most important new thing in the
1065 field of traffic shaping is the "Intermediate Functional Block
1066 device". A lot of work has been done in the field and you have
1067 to be really careful when you are doing your own research since
1068 many of the online documentations and examples are outdated.
1069 Most examples will still work fine, but often better solutions
1070 have been developed.
1071
1072 My traffic shaping script had the following goals:
1073
1074 a. Move the queue to my machine.
1075 b. Provide fairness between both my family clients and guests
1076 in the "Welcome" network.
1077 c. Give a warranted advantage to my own clients, leaving the
1078 clients in "Welcome" with what is left, while at the same
1079 time warranting some bandwidth for Welcome even in moments
1080 of heavy load. My Internet connection is actually 99%
1081 unused anyway, but I did not want to listen to complaints
1082 from my family.
1083 d. Have a method to separate clients that misbehave from the
1084 crowd.
1085
1086 Here is the resulting script rc.traffic_shaping. It does what I
1087 wanted it to, but is certainly not perfect and will require
1088 additional fine-tuning. Anyway you will have to readjust it to
1089 your conditions.
1090
1091 One important thing that needs to be mentioned is that limiting
1092 the outgoing traffic from a specific source, does not lead to
1093 proportional limitation to the incoming traffic. Most streaming
1094 protocols require small amounts of outgoing requests in order
1095 to get real floods of incoming video. As a result even class
1096 1:13 (this is where baddies go), can seem too restrictive with
1097 its "rate 10kbit burst 15kbit", but it actually gives them
1098 around 600kbits of download speed. This demonstrates that in
1099 order to have precise control you need to shape incoming
1100 connections as well.
1101
1102 Next is the chart of outgoing traffic shaping.
1103
1104 The traffic goes as follow:
1105
1106 From Acer_A1 ->1:11
1107 From Welcome -> 1:12
1108 Bad clients -> 1:13
1109 Between may cable clients and Acer_A1 -> 1:2
1110
1111 For example the traffic is classified by iptables with rules
1112 like this:
1113
1114 iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -d
1115 192.168.1.0/24 -j CLASSIFY --set-class 1:2
1116
1117 You can see how I set the classes in "Policy: Traffic_Control"
1118 in acer_br.pdf or check the detailed syntax inside the
1119 acerap_br.fw script.
1120
1121 [outgoing_traffic_shaping.jpg]
1122
1123 The next picture represents the chart of incoming traffic
1124 shaping.
1125
1126 The traffic goes as follow:
1127
1128 To Acer_A1 ->1:31
1129 From Welcome -> 1:32
1130 Bad clients -> 1:33 - nobody is there yet, but it is ready:-).
1131 Between may cable clients and Acer_A1 -> 1:4
1132
1133 [incoming_traffic_shaping.jpg]
1134
1135 The first step in shaping the outgoing traffic is to get the
1136 ifb0 Intermediate Functional Block device" working. It turned
1137 out that the module does not load automatically, but I rather
1138 loaded it in the rc.traffic_shaping script by:
1139 /sbin/modprobe ifb
1140 ifconfig ifb0 up
1141
1142 The next problem is really interesting look at the part of the
1143 rc.traffic_shaping script pasted below:
1144 ##############################
1145 # It is necessary to mirror both eth0 and br0 to ifb0 in order to have b
1146 oth traffics
1147 # with destinations 172.17.0.0/16 and 192.168.1.0/24,
1148 # because each of them sees only one destination as outgoing.
1149 # You may check it by remarking one of the mirrors and the running WireS
1150 hark on ifb0.
1151
1152
1153 tc filter add dev $DEV parent ffff: protocol ip prio 10 u32 \
1154 match ip dst 0.0.0.0/0 flowid 1: \
1155 action mirred egress redirect dev ifb0
1156
1157
1158 tc filter add dev br0 parent ffff: protocol ip prio 10 u32 \
1159 match ip dst 0.0.0.0/0 flowid 1: \
1160 action mirred egress redirect dev ifb0
1161 ##############################
1162
1163 The $DEV=eth0 is set at the beginning of the script. There is
1164 probably a better way of directing traffic to ifb0, but this is
1165 the only way that works for me. You will need the following
1166 commands, to investigate and adjust the script to your own
1167 needs:
1168 tc class ls dev eth0
1169
1170
1171 tc class ls dev ifb0
1172
1173
1174 tc -s -d qdisc show dev eth0
1175
1176
1177 tc -s -d qdisc show dev ifb0
1178
1179
1180 tc -s class show dev eth0
1181 __________________________________________________________
1182
1183 9.3. Cache DNS server.
1184
1185 Having a cache DNS server was a great advantage in the time
1186 when everyone thought that a 28'800 modem is lighting fast.
1187 With today's speed the percentage of economized bandwidth is
1188 close to zero, but it is so easy to install, and besides old
1189 habits die hard. Just make /etc/rc.d/rc.bind executable.
1190 Slackware has a /etc/named.conf pre-ready. It is a good idea to
1191 setup regular updates of named.root by simply creating the
1192 script /etc/cron.monthly/named.root and putting the following
1193 two commands in it:
1194 #!/bin/sh
1195 #
1196 /usr/bin/wget --user=ftp --password=ftp \
1197 http://www.internic.net/zones/named.root \
1198 -O /var/named/caching-example/named.root
1199 /etc/rc.d/rc.bind restart
1200 __________________________________________________________
1201
1202 9.4. Log configuration.
1203
1204 The dhcpd log can be moved to separate files by three simple
1205 steps:
1206
1207 Putting the next line at the end of the dhcpd.conf
1208 log-facility local7;
1209
1210 Append at the end of /etc/syslog.conf the line
1211 local7.* -/var/log/dhcpd.log
1212
1213 Create an empty dhcpd.log by:
1214 :> /var/log/dhcpd.log
1215
1216 Of course dhcpd and syslogd need to be restarted.
1217
1218 iptables log. It is a tempting idea to move the iptables log in
1219 a separate file if you use Firewall Builder or just enjoy
1220 having extensive logs from your firewall. The complication here
1221 comes from the limited choice of "--log-level X" available. As
1222 a result, the kernel (and not the iptables) is in reality doing
1223 all the filtering thus all logs go in log facility "kern.*".
1224 The choice for * is limited between those levels "0 emerg, 1
1225 alert, 2 crit, 3 err, 4 warning, 5 notice, 6 info, 7 debug".
1226 Besides "crit" is the default level for klogd to send messages
1227 to the console so whatever goes on this level inevitably goes
1228 on the console as well. You may experiment with other levels or
1229 try changing "klogd -c 3" to something else.
1230
1231 Everything else is simple after these difficult choices are
1232 made.
1233
1234 First either change the log level setting in Firewall Builder,
1235 or if you wrote your own script set it to something like "-j
1236 LOG --log-level warn --log-prefix "my log text"".
1237
1238 After this is done, append at the end of /etc/syslog.conf the
1239 line:
1240 kern.=warn -/var/log/fwbuilder.log
1241
1242 and exclude it from
1243 *.warn;kern.!=warn;\
1244 authpriv.none;cron.none;mail.none;news.none -/var/log/sys
1245 log
1246
1247 If you decide to experiment with other levels, for example
1248 "notice", change the line like this:
1249 kern.=notice /var/log/fwbuilder.log
1250
1251 But in the case of "notice" you will also have to exclude
1252 "kern.notice" from /var/log/messages by editing the related
1253 line in syslog.conf in a similar way yielding the line:
1254 *.info;*.!warn;kern.!=notice;\
1255 authpriv.none;cron.none;mail.none;news.none -/var/log/mes
1256 sages
1257
1258 There is no perfect choice and some of your boot messages will
1259 always go to fwbuilder.log instead of going in to the messages
1260 or syslog files. The biggest problem are the eventual error
1261 messages generated during the normal course of work, which will
1262 be buried in the fwbuilder.log.
1263
1264 If you want see what else goes on in the /var/log/fwbuilder.log
1265 and iptables logs, the next command will help you:
1266 cat /var/log/fwbuilder.log |grep RULE -v
1267 __________________________________________________________
1268
1269 10. Some final words.
1270
1271 Over a month passed, since I started writing this document,
1272 while creating the access point took me only three days.
1273
1274 During the time being the AP did not drop one connection, while
1275 providing coverage over almost a 100 meter diameter. No timeout
1276 error messages occurred, which was so common for the "Linksys
1277 SRX 200" router.
1278
1279 Over 30 of my neighbors started using it more or less heavily
1280 and some really heavily.
1281
1282 For example, while writing this:
1283 root@acer:/var/log# cat /proc/net/ip_conntrack |grep tcp -c
1284 565
1285 root@acer:/var/log# cat /proc/net/ip_conntrack |grep udp -c
1286 76
1287
1288 [iptraf_low.jpg]
1289
1290 And even in a moment of heavy load, like below, not only does
1291 the network remain stable, but it also provides a descent speed
1292 for everyone.
1293
1294 [iptraf.jpg]
1295
1296 Now I have comprehensive log files like:
1297 Nov 21 21:29:49 acer kernel: [420579.216945] RULE 3 -- CONTINUE IN=wlan0
1298 _0 OUT=br0
1299 SRC=172.17.128.154 DST=173.194.31.138 LEN=40 TOS=0x00 PREC=0x00 T
1300 TL=63 ID=58669
1301 DF PROTO=TCP SPT=49604 DPT=80 WINDOW=0 RES=0x00 RST URGP=0
1302
1303 All in all I am satisfied with the outcome. It was worth the
1304 effort, and the result surpassed the best of all my
1305 expectations.
1306 __________________________________________________________
1307
1308 A. GNU Free Documentation License
1309
1310 A.1. GNU Free Documentation License
1311
1312 Version 1.1, March 2000
1313
1314 Copyright (C) 2000 Free Software Foundation, Inc. 59 Temple
1315 Place, Suite 330, Boston, MA 02111-1307 USA Everyone is
1316 permitted to copy and distribute verbatim copies of this
1317 license document, but changing it is not allowed.
1318 __________________________________________________________
1319
1320 A.2. PREAMBLE
1321
1322 The purpose of this License is to make a manual, textbook, or
1323 other written document "free" in the sense of freedom: to
1324 assure everyone the effective freedom to copy and redistribute
1325 it, with or without modifying it, either commercially or
1326 noncommercially. Secondarily, this License preserves for the
1327 author and publisher a way to get credit for their work, while
1328 not being considered responsible for modifications made by
1329 others.
1330
1331 This License is a kind of "copyleft", which means that
1332 derivative works of the document must themselves be free in the
1333 same sense. It complements the GNU General Public License,
1334 which is a copyleft license designed for free software.
1335
1336 We have designed this License in order to use it for manuals
1337 for free software, because free software needs free
1338 documentation: a free program should come with manuals
1339 providing the same freedoms that the software does. But this
1340 License is not limited to software manuals; it can be used for
1341 any textual work, regardless of subject matter or whether it is
1342 published as a printed book. We recommend this License
1343 principally for works whose purpose is instruction or
1344 reference.
1345 __________________________________________________________
1346
1347 A.3. APPLICABILITY AND DEFINITIONS
1348
1349 This License applies to any manual or other work that contains
1350 a notice placed by the copyright holder saying it can be
1351 distributed under the terms of this License. The "Document",
1352 below, refers to any such manual or work. Any member of the
1353 public is a licensee, and is addressed as "you".
1354
1355 A "Modified Version" of the Document means any work containing
1356 the Document or a portion of it, either copied verbatim, or
1357 with modifications and/or translated into another language.
1358
1359 A "Secondary Section" is a named appendix or a front-matter
1360 section of the Document that deals exclusively with the
1361 relationship of the publishers or authors of the Document to
1362 the Document's overall subject (or to related matters) and
1363 contains nothing that could fall directly within that overall
1364 subject. (For example, if the Document is in part a textbook of
1365 mathematics, a Secondary Section may not explain any
1366 mathematics.) The relationship could be a matter of historical
1367 connection with the subject or with related matters, or of
1368 legal, commercial, philosophical, ethical or political position
1369 regarding them.
1370
1371 The "Invariant Sections" are certain Secondary Sections whose
1372 titles are designated, as being those of Invariant Sections, in
1373 the notice that says that the Document is released under this
1374 License.
1375
1376 The "Cover Texts" are certain short passages of text that are
1377 listed, as Front-Cover Texts or Back-Cover Texts, in the notice
1378 that says that the Document is released under this License.
1379
1380 A "Transparent" copy of the Document means a machine-readable
1381 copy, represented in a format whose specification is available
1382 to the general public, whose contents can be viewed and edited
1383 directly and straightforwardly with generic text editors or
1384 (for images composed of pixels) generic paint programs or (for
1385 drawings) some widely available drawing editor, and that is
1386 suitable for input to text formatters or for automatic
1387 translation to a variety of formats suitable for input to text
1388 formatters. A copy made in an otherwise Transparent file format
1389 whose markup has been designed to thwart or discourage
1390 subsequent modification by readers is not Transparent. A copy
1391 that is not "Transparent" is called "Opaque".
1392
1393 Examples of suitable formats for Transparent copies include
1394 plain ASCII without markup, Texinfo input format, LaTeX input
1395 format, SGML or XML using a publicly available DTD, and
1396 standard-conforming simple HTML designed for human
1397 modification. Opaque formats include PostScript, PDF,
1398 proprietary formats that can be read and edited only by
1399 proprietary word processors, SGML or XML for which the DTD
1400 and/or processing tools are not generally available, and the
1401 machine-generated HTML produced by some word processors for
1402 output purposes only.
1403
1404 The "Title Page" means, for a printed book, the title page
1405 itself, plus such following pages as are needed to hold,
1406 legibly, the material this License requires to appear in the
1407 title page. For works in formats which do not have any title
1408 page as such, "Title Page" means the text near the most
1409 prominent appearance of the work's title, preceding the
1410 beginning of the body of the text.
1411 __________________________________________________________
1412
1413 A.4. VERBATIM COPYING
1414
1415 You may copy and distribute the Document in any medium, either
1416 commercially or noncommercially, provided that this License,
1417 the copyright notices, and the license notice saying this
1418 License applies to the Document are reproduced in all copies,
1419 and that you add no other conditions whatsoever to those of
1420 this License. You may not use technical measures to obstruct or
1421 control the reading or further copying of the copies you make
1422 or distribute. However, you may accept compensation in exchange
1423 for copies. If you distribute a large enough number of copies
1424 you must also follow the conditions in section 3.
1425
1426 You may also lend copies, under the same conditions stated
1427 above, and you may publicly display copies.
1428 __________________________________________________________
1429
1430 A.5. COPYING IN QUANTITY
1431
1432 If you publish printed copies of the Document numbering more
1433 than 100, and the Document's license notice requires Cover
1434 Texts, you must enclose the copies in covers that carry,
1435 clearly and legibly, all these Cover Texts: Front-Cover Texts
1436 on the front cover, and Back-Cover Texts on the back cover.
1437 Both covers must also clearly and legibly identify you as the
1438 publisher of these copies. The front cover must present the
1439 full title with all words of the title equally prominent and
1440 visible. You may add other material on the covers in addition.
1441 Copying with changes limited to the covers, as long as they
1442 preserve the title of the Document and satisfy these
1443 conditions, can be treated as verbatim copying in other
1444 respects.
1445
1446 If the required texts for either cover are too voluminous to
1447 fit legibly, you should put the first ones listed (as many as
1448 fit reasonably) on the actual cover, and continue the rest onto
1449 adjacent pages.
1450
1451 If you publish or distribute Opaque copies of the Document
1452 numbering more than 100, you must either include a
1453 machine-readable Transparent copy along with each Opaque copy,
1454 or state in or with each Opaque copy a publicly-accessible
1455 computer-network location containing a complete Transparent
1456 copy of the Document, free of added material, which the general
1457 network-using public has access to download anonymously at no
1458 charge using public-standard network protocols. If you use the
1459 latter option, you must take reasonably prudent steps, when you
1460 begin distribution of Opaque copies in quantity, to ensure that
1461 this Transparent copy will remain thus accessible at the stated
1462 location until at least one year after the last time you
1463 distribute an Opaque copy (directly or through your agents or
1464 retailers) of that edition to the public.
1465
1466 It is requested, but not required, that you contact the authors
1467 of the Document well before redistributing any large number of
1468 copies, to give them a chance to provide you with an updated
1469 version of the Document.
1470 __________________________________________________________
1471
1472 A.6. MODIFICATIONS
1473
1474 You may copy and distribute a Modified Version of the Document
1475 under the conditions of sections 2 and 3 above, provided that
1476 you release the Modified Version under precisely this License,
1477 with the Modified Version filling the role of the Document,
1478 thus licensing distribution and modification of the Modified
1479 Version to whoever possesses a copy of it. In addition, you
1480 must do these things in the Modified Version:
1481
1482 A. Use in the Title Page (and on the covers, if any) a title
1483 distinct from that of the Document, and from those of
1484 previous versions (which should, if there were any, be
1485 listed in the History section of the Document). You may use
1486 the same title as a previous version if the original
1487 publisher of that version gives permission.
1488 B. List on the Title Page, as authors, one or more persons or
1489 entities responsible for authorship of the modifications in
1490 the Modified Version, together with at least five of the
1491 principal authors of the Document (all of its principal
1492 authors, if it has less than five).
1493 C. State on the Title page the name of the publisher of the
1494 Modified Version, as the publisher.
1495 D. Preserve all the copyright notices of the Document.
1496 E. Add an appropriate copyright notice for your modifications
1497 adjacent to the other copyright notices.
1498 F. Include, immediately after the copyright notices, a license
1499 notice giving the public permission to use the Modified
1500 Version under the terms of this License, in the form shown
1501 in the Addendum below.
1502 G. Preserve in that license notice the full lists of Invariant
1503 Sections and required Cover Texts given in the Document's
1504 license notice.
1505 H. Include an unaltered copy of this License.
1506 I. Preserve the section entitled "History", and its title, and
1507 add to it an item stating at least the title, year, new
1508 authors, and publisher of the Modified Version as given on
1509 the Title Page. If there is no section entitled "History"
1510 in the Document, create one stating the title, year,
1511 authors, and publisher of the Document as given on its
1512 Title Page, then add an item describing the Modified
1513 Version as stated in the previous sentence.
1514 J. Preserve the network location, if any, given in the
1515 Document for public access to a Transparent copy of the
1516 Document, and likewise the network locations given in the
1517 Document for previous versions it was based on. These may
1518 be placed in the "History" section. You may omit a network
1519 location for a work that was published at least four years
1520 before the Document itself, or if the original publisher of
1521 the version it refers to gives permission.
1522 K. In any section entitled "Acknowledgements" or
1523 "Dedications", preserve the section's title, and preserve
1524 in the section all the substance and tone of each of the
1525 contributor acknowledgements and/or dedications given
1526 therein.
1527 L. Preserve all the Invariant Sections of the Document,
1528 unaltered in their text and in their titles. Section
1529 numbers or the equivalent are not considered part of the
1530 section titles.
1531 M. Delete any section entitled "Endorsements". Such a section
1532 may not be included in the Modified Version.
1533 N. Do not retitle any existing section as "Endorsements" or to
1534 conflict in title with any Invariant Section.
1535
1536 If the Modified Version includes new front-matter sections or
1537 appendices that qualify as Secondary Sections and contain no
1538 material copied from the Document, you may at your option
1539 designate some or all of these sections as invariant. To do
1540 this, add their titles to the list of Invariant Sections in the
1541 Modified Version's license notice. These titles must be
1542 distinct from any other section titles.
1543
1544 You may add a section entitled "Endorsements", provided it
1545 contains nothing but endorsements of your Modified Version by
1546 various parties--for example, statements of peer review or that
1547 the text has been approved by an organization as the
1548 authoritative definition of a standard.
1549
1550 You may add a passage of up to five words as a Front-Cover
1551 Text, and a passage of up to 25 words as a Back-Cover Text, to
1552 the end of the list of Cover Texts in the Modified Version.
1553 Only one passage of Front-Cover Text and one of Back-Cover Text
1554 may be added by (or through arrangements made by) any one
1555 entity. If the Document already includes a cover text for the
1556 same cover, previously added by you or by arrangement made by
1557 the same entity you are acting on behalf of, you may not add
1558 another; but you may replace the old one, on explicit
1559 permission from the previous publisher that added the old one.
1560
1561 The author(s) and publisher(s) of the Document do not by this
1562 License give permission to use their names for publicity for or
1563 to assert or imply endorsement of any Modified Version.
1564 __________________________________________________________
1565
1566 A.7. COMBINING DOCUMENTS
1567
1568 You may combine the Document with other documents released
1569 under this License, under the terms defined in section 4 above
1570 for modified versions, provided that you include in the
1571 combination all of the Invariant Sections of all of the
1572 original documents, unmodified, and list them all as Invariant
1573 Sections of your combined work in its license notice.
1574
1575 The combined work need only contain one copy of this License,
1576 and multiple identical Invariant Sections may be replaced with
1577 a single copy. If there are multiple Invariant Sections with
1578 the same name but different contents, make the title of each
1579 such section unique by adding at the end of it, in parentheses,
1580 the name of the original author or publisher of that section if
1581 known, or else a unique number. Make the same adjustment to the
1582 section titles in the list of Invariant Sections in the license
1583 notice of the combined work.
1584
1585 In the combination, you must combine any sections entitled
1586 "History" in the various original documents, forming one
1587 section entitled "History"; likewise combine any sections
1588 entitled "Acknowledgements", and any sections entitled
1589 "Dedications". You must delete all sections entitled
1590 "Endorsements."
1591 __________________________________________________________
1592
1593 A.8. COLLECTIONS OF DOCUMENTS
1594
1595 You may make a collection consisting of the Document and other
1596 documents released under this License, and replace the
1597 individual copies of this License in the various documents with
1598 a single copy that is included in the collection, provided that
1599 you follow the rules of this License for verbatim copying of
1600 each of the documents in all other respects.
1601
1602 You may extract a single document from such a collection, and
1603 distribute it individually under this License, provided you
1604 insert a copy of this License into the extracted document, and
1605 follow this License in all other respects regarding verbatim
1606 copying of that document.
1607 __________________________________________________________
1608
1609 A.9. AGGREGATION WITH INDEPENDENT WORKS
1610
1611 A compilation of the Document or its derivatives with other
1612 separate and independent documents or works, in or on a volume
1613 of a storage or distribution medium, does not as a whole count
1614 as a Modified Version of the Document, provided no compilation
1615 copyright is claimed for the compilation. Such a compilation is
1616 called an "aggregate", and this License does not apply to the
1617 other self-contained works thus compiled with the Document, on
1618 account of their being thus compiled, if they are not
1619 themselves derivative works of the Document.
1620
1621 If the Cover Text requirement of section 3 is applicable to
1622 these copies of the Document, then if the Document is less than
1623 one quarter of the entire aggregate, the Document's Cover Texts
1624 may be placed on covers that surround only the Document within
1625 the aggregate. Otherwise they must appear on covers around the
1626 whole aggregate.
1627 __________________________________________________________
1628
1629 A.10. TRANSLATION
1630
1631 Translation is considered a kind of modification, so you may
1632 distribute translations of the Document under the terms of
1633 section 4. Replacing Invariant Sections with translations
1634 requires special permission from their copyright holders, but
1635 you may include translations of some or all Invariant Sections
1636 in addition to the original versions of these Invariant
1637 Sections. You may include a translation of this License
1638 provided that you also include the original English version of
1639 this License. In case of a disagreement between the translation
1640 and the original English version of this License, the original
1641 English version will prevail.
1642 __________________________________________________________
1643
1644 A.11. TERMINATION
1645
1646 You may not copy, modify, sublicense, or distribute the
1647 Document except as expressly provided for under this License.
1648 Any other attempt to copy, modify, sublicense or distribute the
1649 Document is void, and will automatically terminate your rights
1650 under this License. However, parties who have received copies,
1651 or rights, from you under this License will not have their
1652 licenses terminated so long as such parties remain in full
1653 compliance.
1654 __________________________________________________________
1655
1656 A.12. FUTURE REVISIONS OF THIS LICENSE
1657
1658 The Free Software Foundation may publish new, revised versions
1659 of the GNU Free Documentation License from time to time. Such
1660 new versions will be similar in spirit to the present version,
1661 but may differ in detail to address new problems or concerns.
1662 See http://www.gnu.org/copyleft/.
1663
1664 Each version of the License is given a distinguishing version
1665 number. If the Document specifies that a particular numbered
1666 version of this License "or any later version" applies to it,
1667 you have the option of following the terms and conditions
1668 either of that specified version or of any later version that
1669 has been published (not as a draft) by the Free Software
1670 Foundation. If the Document does not specify a version number
1671 of this License, you may choose any version ever published (not
1672 as a draft) by the Free Software Foundation.
1673 __________________________________________________________
1674
1675 A.13. HOW TO USE THIS LICENSE FOR YOUR DOCUMENTS
1676
1677 To use this License in a document you have written, include a
1678 copy of the License in the document and put the following
1679 copyright and license notices just after the title page:
1680
1681 Copyright (c) YEAR YOUR NAME. Permission is granted to copy,
1682 distribute and/or modify this document under the terms of
1683 the GNU Free Documentation License, Version 1.1 or any later
1684 version published by the Free Software Foundation; with the
1685 Invariant Sections being LIST THEIR TITLES, with the
1686 Front-Cover Texts being LIST, and with the Back-Cover Texts
1687 being LIST. A copy of the license is included in the section
1688 entitled "GNU Free Documentation License".
1689
1690 If you have no Invariant Sections, write "with no Invariant
1691 Sections" instead of saying which ones are invariant. If you
1692 have no Front-Cover Texts, write "no Front-Cover Texts" instead
1693 of "Front-Cover Texts being LIST"; likewise for Back-Cover
1694 Texts.
1695
1696 If your document contains nontrivial examples of program code,
1697 we recommend releasing these examples in parallel under your
1698 choice of free software license, such as the GNU General Public
1699 License, to permit their use in free software.
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.- [get | view] (2012-07-13 13:13:07, 2598.0 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.eps.ps]]
- [get | view] (2012-07-13 13:11:36, 964.1 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.pdf]]
- [get | view] (2012-07-13 13:09:29, 3886.2 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.tar.bz2]]
- [get | view] (2012-07-13 13:18:57, 3855.4 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.tar.gz]]
- [get | view] (2012-07-13 13:20:00, 71.0 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.txt]]
- [get | view] (2012-07-13 15:13:58, 86.1 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.xml]]
You are not allowed to attach a file to this page.