![[LDP]](/moin_static184/ldp/tldp.png)
Attachment 'Wireless-AP-from-laptop-HOWTO.xml'
Download 1 <?xml version='1.0' encoding='UTF-8'?>
2 <!-- This document was created with Syntext Serna Free. --><!DOCTYPE article PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN" "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
3 <!--
4 This is where we will call the external files that we would like to
5 include in our document. Uncomment each line if you wish to call the
6 corresponding external file. At the end of the document you will
7 also need to uncomment the corresponding entity.
8 -->
9 <!-- Appendix -->
10 <!ENTITY appendix SYSTEM "ldp-appendix.xml">
11 <!-- Remember to uncomment &appendix; in the document body as well. -->
12
13 <!-- Glossary -->
14 <!-- <!ENTITY glossary SYSTEM "ldp-glossary.xml"> -->
15 <!-- Remember to uncomment &glossary; in the document body as well. -->
16
17 <!-- Bibliography -->
18 <!-- <!ENTITY bibliography SYSTEM "ldp-bibliography.xml"> -->
19 <!-- Remember to uncomment &bibliography; in the document body as well. -->
20 ]>
21 <article id="index">
22 <articleinfo>
23 <title>Wireless access point from laptop HOWTO.</title>
24 <subtitle>How to create a wireless access point and router, from a laptop.</subtitle>
25 <author>
26 <firstname>Krastyo</firstname>
27 <surname>Komsalov</surname>
28 <authorblurb>
29 <para/>
30 </authorblurb>
31 <affiliation>
32 <!-- The name of your organization is optional. --> <orgname>
33 <ulink url="http://komsalov.homelinux.org/">http://komsalov.homelinux.org/</ulink>
34 <ulink url="http://ca.linkedin.com/in/kkomsalov">http://ca.linkedin.com/in/kkomsalov</ulink>
35 </orgname>
36 <!-- A valid email is required. You may add a spam blocker, or get a Yahoo/Gmail/etc account. --> <address>
37 <email>kkomsalov@gmail.NOSPAM.com</email>
38 </address>
39 </affiliation>
40 </author>
41 <!-- The date of publication. --> <pubdate>2012-04-15</pubdate>
42 <!-- A short description of what is contained in this document. --> <abstract>
43 <para>This is as simple as I managed to made it instruction how to make wireless access point from a computer wit wireless adapter.</para>
44 </abstract>
45 <!-- A summary of the revisions to date. The latest revision should be at the top. --> <revhistory>
46 <revision>
47 <revnumber> 2.0</revnumber>
48 <date>2012-06-29</date>
49 <authorinitials>Me</authorinitials>
50 <revremark>Changed the document title. Fixed a number of spelling mistakes.</revremark>
51 </revision>
52 <revision>
53 <revnumber> 1.1</revnumber>
54 <date>2012-01-01</date>
55 <authorinitials>ME</authorinitials>
56 <revremark>Created first DocBooc version.</revremark>
57 </revision>
58 <revision>
59 <revnumber> 1.0</revnumber>
60 <date>2011-10-09</date>
61 <authorinitials>ME</authorinitials>
62 <revremark>First UNofficial release.</revremark>
63 </revision>
64 </revhistory>
65 </articleinfo>
66 <!--
67 A little about file names...
68 If you would like, you can add an "id" to each of your sections.
69 The id will be used as the file name when output to HTML. Make sure
70 it is:
71 1) all one word
72 2) contains no spaces
73 As of March 2005, the LDP is using DSSSL processing tools. The
74 <?dbhtml filename="file.html" ?>
75 should match the id so that the file names are the same regardless of
76 processing tools.
77 --> <sect1 label="" id="aboutdoc">
78 <?dbhtml filename="aboutdoc.html"?> <title>About this document</title>
79 <sect2 id="copyright">
80 <?dbhtml filename="copyright.html"?> <title>Copyright and License</title>
81 <para>
82 Copyright (c) 2012 by Krastyo Komsalov.</para>
83 <para>Permission is granted to copy, distribute and/or modify this
84 document under the terms of the GNU Free Documentation License, Version
85 1.1 or any later version published by the Free Software Foundation;
86 with no Invariant Sections, no Front-Cover Texts, and with no Back-Cover
87 Texts.
88 A copy of the license is included in <xref linkend="gfdl"/>.
89 <!-- The LDP requires you to include the full text of the license. -->
90 </para>
91 </sect2>
92 <sect2 id="translations">
93 <?dbhtml filename="translations.html"?> <title>Translations</title>
94 <!--
95 Probably your document will not have a translation to start.
96 Uncomment the following section when there are translations ready.
97 --><!--
98 <para>This document is also available in the following languages:</para>
99
100 <itemizedlist>
101 <listitem>
102 <para><ulink url="URL">LANGUAGE</ulink>. Include a note of thanks to your translation team.</para>
103 </listitem>
104 </itemizedlist>
105 --> <para>If you know of any translations for this document, or you are interested in translating it, please email me <email>kkomsalov@gmail.com</email>.</para>
106 </sect2>
107 <sect2 id="preface">
108 <title>Preface</title>
109 <para>The main reason for writing this document is to share my surprise of how easy it is to convert a laptop into a wireless access point on Slackware.</para>
110 </sect2>
111 <sect2 id="thanks">
112 <title>Acknowledgments</title>
113 <para>I wish to express my gratitude towards my two sons Petko Komsalov and Viktor Komsalov who helped me with the countless hours of their time in the redaction of this guide. The finalized form of this guide would not have been publishable, if not for their advices and counseling during the rooting out of inconsistencies and mistakes.</para>
114 <!-- If it is a long list of people, you may want to use a bullet list: --><!--
115 <itemizedlist>
116 <listitem><para></para></listitem>
117 <listitem><para></para></listitem>
118 <listitem><para></para></listitem>
119 </itemizedlist>
120 --> </sect2>
121 <sect2 id="feedback">
122 <title>Feedback</title>
123 <para>Find something wrong with this document? (Or perhaps something right?) I would love to hear from you. Please email me at <email>kkomsalov@gmail.com</email>.</para>
124 </sect2>
125 <sect2 id="conventions">
126 <title>Conventions used in this document</title>
127 <!--
128 This section was provided by Machtelt Garrels.
129 You do not need to include it in your document, especially if your HOWTO is
130 very short.
131 --> <para>The following typographic and usage conventions occur in this text:
132 </para>
133 <table frame="all" id="table-conventions">
134 <title>Typographic and usage conventions</title>
135 <tgroup cols="2" colsep="1" rowsep="1" align="left">
136 <thead>
137 <row>
138 <entry>Text type</entry>
139 <entry>Meaning</entry>
140 </row>
141 </thead>
142 <tbody>
143 <row>
144 <entry>
145 <quote>Quoted text</quote>
146 </entry>
147 <entry>Quotes from people, quoted computer output.</entry>
148 </row>
149 <row>
150 <entry>
151 <screen>terminal view</screen>
152 </entry>
153 <entry>Literal computer input and output captured from the terminal.</entry>
154 </row>
155 <row>
156 <entry>
157 <command>command</command>
158 </entry>
159 <entry>Name of a command that can be entered on the command line.</entry>
160 </row>
161 <row>
162 <entry>
163 <option>option</option>
164 </entry>
165 <entry>Option to a command, as in <quote>the <option>-a</option> option to the <command>ls</command> command</quote>.</entry>
166 </row>
167 <row>
168 <entry>
169 <parameter>parameter</parameter>
170 </entry>
171 <entry>Parameter to a command, as in <quote>read <command>man <parameter>ls</parameter></command></quote>.</entry>
172 </row>
173 <row>
174 <entry>
175 <cmdsynopsis>
176 <command>command <option>options</option><parameter>arguments</parameter></command>
177 </cmdsynopsis>
178 </entry>
179 <entry>Command synopsis or general usage, on a separated line.</entry>
180 </row>
181 <row>
182 <entry>
183 <filename>filename</filename>
184 </entry>
185 <entry>Name of a file or directory, for example <quote>Change to the <filename class="directory">/usr/bin</filename> directory.</quote></entry>
186 </row>
187 <row>
188 <entry>
189 <menuchoice>
190 <guimenu>Menu</guimenu>
191 <guimenuitem>Choice</guimenuitem>
192 </menuchoice>
193 </entry>
194 <entry>Choice to select from a graphical menu, for instance: <quote>Select <menuchoice>
195 <guimenu>Help</guimenu>
196 <guimenuitem>About Mozilla</guimenuitem>
197 </menuchoice> in your browser.</quote></entry>
198 </row>
199 <row>
200 <entry>
201 <ulink url="http://www.xtrinsic.com">The author</ulink>
202 </entry>
203 <entry>Click-able link to an external web resource.</entry>
204 </row>
205 </tbody>
206 </tgroup>
207 </table>
208 <para>Thanks to Machtelt <quote>Tille</quote> Garrels for this list of conventions.</para>
209 </sect2>
210 </sect1>
211 <sect1 id="about">
212 <?dbhtml filename="about.html"?> <title>Introduction</title>
213 <para>The main reason for writing this document is to share my surprise of how easy it is to convert the Aspire One into a wireless access point on Slackware and how good the Aspire One hardware is for this. Accidentally, I happened to have some free time and one three year old Aspire in my hands so I decided to do something about my growing dissatisfaction with my home router. I live in a crowded Wi-Fi area with over 30 access points coming from the apartments around me and my router obviously has troubles with this. What I wanted was a wireless router over which I will have full control of all settings: log levels control, ability to install additional software for traffic analysis, a decent iptables firewall, RADIUS; in short a wireless router with full Linux installed on it.</para>
214 <orderedlist numeration="loweralpha">
215 <listitem>
216 <para>I chose to use Free RADIUS, since I wanted not only support for WPA and the ability to append eventual access points with roaming, but also the extensibility to any user data base, from local flat files to LDAP. Hostapd has its own integrated RADIUS, but the freedom of having FreeRADIUS was so tempting; besides the setup with flat ASCII users file is really easy. In this configuration RADIUS is set up to use files.</para>
217 </listitem>
218 <listitem>
219 <para>Ipv6 and DNSSEC are here to stay and no embedded router has all the functionality which I have with Linux. Ipv6 and DNSSEC configuration is not included in this HOWTO guide, but the freedom to configure them is there.</para>
220 </listitem>
221 <listitem>
222 <para>I wanted to have not only a standard firewall, but the full power of iptables. A simple functionality like SSH tunnels that allows home access from school for my kids is tricky with my router and traffic shaping is simply not available. For this reason the Firewall Builder is included in this configuration with a basic rule set. I think it is by far the best firewall management solution on the market and it is free for Linux users.</para>
223 </listitem>
224 <listitem>
225 <para>I wanted to have at least two wireless networks "different ssid", to open safely one of them and share some of my bandwidth with my neighbours. This I hope will make me feel less ripped-off next time I pay my internet bill.</para>
226 </listitem>
227 <listitem>
228 <para>The other solution OpenWrt had two disadvantages: my router is too weak to support OpenWrt and any router that is powerful enough for everything that I want will cost nearly as much or more then the Aspire; which I already have.</para>
229 </listitem>
230 </orderedlist>
231 </sect1>
232 <sect1 id="install">
233 <?dbhtml filename="install.html"?> <title>Hardware description</title>
234 <para>My Acer Aspire One has a Model KAV10, which is one of Acer's oldest models. Since then Acer has produced many new models, but the only important part for this configuration is the model of the wireless adapter within it. From what I found Acer has been changing the adapter in nearly all newer models of Aspire. All the models I checked come with a different adapter made by Atheros (although its important to verify the producer). If you are thinking of buying the laptop, check in advance its wireless adapter. For mine, <command>lspci</command> and <command>dmesg</command> are giving this:</para>
235 <screen>bash-4.1# lspci
236 01:00.0 Ethernet controller: Atheros Communications Inc. AR5001
237 Wireless Network Adapter (rev 01)
238 03:00.0 Ethernet controller: Atheros Communications AR8121/AR8113/AR8114
239 Gigabit or Fast Ethernet (rev b0)
240 bash-4.1# dmesg |grep Atheros
241 [ 10.367156] ath5k phy0: Atheros AR2425 chip found (MAC: 0xe2, PHY: 0x70)</screen>
242 <para>This is really good news as it seems that Atheros is one of the best supported adapters on Linux (the people from The MadWifi project are doing excellent work).</para>
243 <para>Surprisingly Windows is giving different information:</para>
244 <graphic fileref="Atheros_win.jpg"/>
245 <para>If it turns out that your adapter is different from mine, you will have to investigate further in order to be sure it supports AP mode. To accomplish this you will need the "<command>iw</command>" command. You probably have it already, but for the source and some documentation go to: <ulink url="http://linuxwireless.org/en/users/Documentation/iw">http://linuxwireless.org/en/users/Documentation/iw</ulink>. The most informative syntax is:</para>
246 <para><command>iw list</command></para>
247 <para>It will give you a pretty long output. In it look for the part that is similar to the following:</para>
248 <screen>Supported interface modes:
249 * IBSS
250 * managed
251 * AP
252 * AP/VLAN
253 * monitor
254 * mesh point
255 Supported commands:</screen>
256 <para>If there is a line "* AP" it is good news, you have the necessary AP support for hostapd.</para>
257 <para>If it turns out that your chipset is different from mine you can check if it is supported on the MadWifi website. The MadWifi website is also by far the best source of documentation I have found. This will be one of your primary sources of knowledge when you decide to adjust to your needs, experiment or simply improve the configuration given below.</para>
258 <para>If you do not have Linux already installed, you can boot it from Slackware or SystemRescueCd USB stick and do some investigation on your Aspire.</para>
259 <para>The model of my old router "Linksys SRX 200" shown as part of two of the three configurations is not important. You may use any wireless router if you have any or avoid using it at all if you decide to permanently dedicate the Aspire as your Wireless router.</para>
260 </sect1>
261 <sect1 id="netconf">
262 <?dbhtml filename="Some-possible-network-configurations.html"?> <title>Some possible network configurations</title>
263 <sect2 id="netconfa">
264 <?dbhtml filename="netconfa.html"?> <title>Keep your old router and append the Aspire inside, providing two additional wireless networks. Configuration (a.).</title>
265 <graphic fileref="2AP3net_masq.jpg" srccredit="" contentwidth="" align="center" vendor=""/>
266 <para>In this configuration the Ethernet port of the Aspire is connected directly to "SRX 200". This solves the problem of Aspire having only one Ethernet port. Two Ethernet ports required are one for the Internet link the other for the internal switch to provide Internet access to Ethernet connected computers. The two wireless networks are NAT'ed to the 192.168.1.55 IP address. The reason for this is not only to put ssid "Welcome" in a separate network and simplify firewalling, but also to resolve some NAT and routing problems. First the devices in 192.168.1.0/24 must have a route to 192.168.11.0/24. I had no problem adding routes within Linux and Solaris, but my network printer simply has no such thing as a routing table in its web interface. Second, appending the route in "SRX 200" is not a problem, but "SRX 200" refuses to NAT any other network than the one connected to its interface. This is probably solvable by sub-networking its network, but I think the next configurations (b.) and (c.) are better solutions. Even with all its disadvantages, I think this configuration is the best starting point as it will not cause any disruptions or changes in your current setup until all configurations on Aspire are done and tested; then it can easily be converted to any other.</para>
267 </sect2>
268 <sect2 id="netconfb">
269 <?dbhtml filename="netconfb.html"?> <title>Using only Aspire as AP. Configuration (b.).</title>
270 <graphic fileref="Aspire_only.jpg"/>
271 <para>This configuration is setting you free from any later worries and is the optimal variant, but there is a price to pay. Since the Aspire has only one Ethernet adapter you have to append a second one. There are two solutions. The first one "shown on the picture" is to use an intelligent or managed switch to VLAN the eth0. The second one is to use a USB to Ethernet adapter, to convert one of the USB ports to Ethernet. The drawback of the switch solution is that it is much more expensive, though it has the advantage of speed, stability and simplicity. The USB to Ethernet adapter is much cheaper, but it comes with a doubtful Linux driver support and uncertain speed and reliability.
272 There is one more small detail to mention: depending what kind of Internet connection you have there will be different setups for the uplink adapter. If you use a cable connection than it simply has to be on DHCP. In the case of ADSL (my case) you will need to configure a PPPoE. On Slackware you simply have to run a pppoe-setup script.</para>
273 </sect2>
274 <sect2>
275 <?dbhtml filename="netconfc.html"?> <title>Bridging between the two private networks and NATing only "Welcome" public network. Configuration (c.).</title>
276 <graphic fileref="2AP3net_Bridge.jpg"/>
277 <para>In this configuration the interfaces eth0 and wlan0 are bridged. The network 192.168.1.0/24 can be accessed either through "kristo" or "Acer_A1" ssid. The DHCP server on the Aspire is bind only to the wlan0_0 interface. NAT to 192.168.1.55 is only done for 172.17.0.0/16. The computers assessing the 192.168.1.0/24 network through ssid "Acer_A1" are getting IP addresses from the DHCP server on "SRX 200". Other solutions will be available if the DHCP server on "SRX 200" was more manageable. For example, instead of bridging the two parts of 192.168.1.0/24, it will be more elegant to subnet 192.168.1.0/24 and setup a DHCP helper for the part in ssid "Acer_A1".</para>
278 <para>This configuration has two advantages. The first is that it avoids both, the routing problem of the solution (a.) and the consequent NAT'ing of the "Acer_A1". Second, it allows the Aspire to be turned off while networking remains through your old router. If you can't afford to dedicate your Aspire as AP, this is the best configuration. It provides a stable network when you do not need the Aspire and allows you to disconnect the Aspire from the network for personal use, while preserving a functional network.</para>
279 </sect2>
280 </sect1>
281 <sect1 id="using-softwarepackage" xreflabel="Using SOFTWARE">
282 <?dbhtml filename="install-a.html"?> <title>Initial Configuration <emphasis role="bold">(a.)</emphasis> - installation instructions for all the necessary software for all configurations.</title>
283 <para>I installed all the necessary programs from the source in /usr/local. I left some configuration files in <filename>/usr/local/etc</filename> and moved some in <filename>/etc</filename>/. There are Slackware packages on SlackBuilds.org or you can make your own if you decide it is worth the effort, considering that installing it from source is easier.</para>
284 <sect2>
285 <title>The easiest way of installing Slackware on Acer Aspire One</title>
286 <para>his chapter is probably unnecessary, but I love to preach about Slackware.</para>
287 <para>You need a Linux FTP server, to host a Slackware and a USB stick.</para>
288 <para>First you have to create a Slackware mirror by getting the script <filename>mirror-slackware-current.sh</filename> from Alien Pastures and running it. The script will put the mirror by default in the <filename>/home/ftp</filename> directory, which is exactly where you need it for the last step.</para>
289 <para>After this is done insert a USB stick, go to the directory</para>
290 <para><filename>/home/ftp/pub/Linux/Slackware/slackware-current/usb-and-pxe-installers</filename></para>
291 <para>unmount the USB if it is mounted and run the script to make a startup USB.</para>
292 <screen>/home/ftp/pub/Linux/Slackware/slackware-current/usb-and-pxe-installers
293 dmesg |grep sd
294 [86504.700524] sdb: sdb1
295 [86504.708517] sd 6:0:0:0: [sdb] Assuming drive cache: write through
296 umount /dev/sdb1
297 sh usbimg2disk.sh -i usbboot.img -o /dev/sdb</screen>
298 <para>Boot from the USB and install the Slackware. Here is the how to do it: <ulink url="http://www.slackbook.org/html/installation.html">http://www.slackbook.org/html/installation.html</ulink>. Use a network cable (makes things easier) to connect the laptop to the network, you will need it anyway to access the machine during the configuration of the access point, and after as your uplink.</para>
299 </sect2>
300 <sect2>
301 <title>Kernel configuration</title>
302 <para>It is a good idea to start by recompiling your kernel. Click on <ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=kernel.config.2.6.38.7">.config</ulink> to download my configuration file in <filename>/usr/src/linux</filename>. This is not a fully optimized version and only the processor is set to Intel Atom and some obviously unnecessary stuff is removed. I chose not to put here a version that is too customized to my needs. I used the <option>-j 8</option> option since it makes bzImage and modules faster. It seems <option>-j 8</option> gives the best results, but on the first compilation you will not have this advantage. Anyway it will take forever to compile even with the <option>-j 8</option> option. It is important not to forget to reinstall the MadWifi drivers, if someday you decide to optimize your kernel.</para>
303 <para>In case you want to keep Windows and resize its partition, the best solution is SystemRescueCd. Follow the instructions for installing it on a USB stick from here <ulink url="http://www.sysresccd.org/Sysresccd-manual-en_How_to_install_SystemRescueCd_on_an_USB-stick">http://www.sysresccd.org/Sysresccd-manual-en_How_to_install_SystemRescueCd_on_an_USB-stick</ulink>. It is a good idea to archive the partitions of your Aspire, in case you decide to return it back to the current state someday; if you can afford the space to keep the images.</para>
304 </sect2>
305 <sect2>
306 <title>Remote access - XDMCP</title>
307 <para>Depending on how comfortable you feel with the small keyboard and monitor of Aspire, you may consider enabling XDMCP. Here is good guide of how to do it: <ulink url="http://alien.slackbook.org/blog/running-x-window-on-ms-windows/">http://alien.slackbook.org/blog/running-x-window-on-ms-windows/</ulink>. If you have CygWin already installed you would not need to install X-Server, simply run</para>
308 <cmdsynopsis>
309 <command>xwin <option>-query</option><parameter>Aspire.IP.address</parameter></command>
310 </cmdsynopsis>
311 <para>from a CygWin terminal.</para>
312 </sect2>
313 <sect2>
314 <title>For consideration:</title>
315 <para>FreeRadius <ulink url="http://freeradius.org/">http://freeradius.org/</ulink> - Formally RADIUS support is necessary only if you want the following capabilities: having WPA Enterprise authentication, being able to append more access points or authentication against external user data bases like LDAP or Novell eDirectory. It is also important to consider the choice between the standalone RADIUS server and the hostapd integrated RADIUS support. With so many choices, I thought it is a good idea to explain my arguments for choosing FreeRadius. First of all WEP in its 128 bit version is acceptable for home security, but it is so easy to configure that it takes away all the fun from the task. In its most basic configuration FreeRadius is really easy to install and configure, which means that obtaining WPA requires only a modest amount of effort. Configuring RADIUS is certainly not easy (it requires a lot of patience) and it may take days to set it up as a DAP gateway, but it is a five minutes work in the simplest scenario as in the example here with flat ASCII files. I suspect that using the hostapd integrated RADIUS allows for a lower CPU load than a separate RADIUS server and this has to be considered for small embedded routers. FreeRadius though has low processing requirements so the dedicated Aspire can easily run it.</para>
316 <para>If you opt for FreeRadius, you can download the latest version from <ulink url="http://freeradius.org/download.html">http://freeradius.org/download.html</ulink>. I used the freeradius-server-2.1.11 version. The installation is as simple as typing the command ./configure, make, make install. The following instructions can be used to configure RADIUS <ulink url="http://wiki.freeradius.org/Basic-configuration-HOWTO">http://wiki.freeradius.org/Basic-configuration-HOWTO</ulink>. If you used <filename>./configure</filename> without additional options the "<filename>users</filename>" file will be created in "<filename>/usr/local/etc/raddb</filename>".</para>
317 <itemizedlist>
318 <listitem>
319 <para>First, create some users, simply by appending at the end of the "user" file something like:
320 <userinput>User1 Cleartext-Password := "password1" Second, change the "secret=12345:-)"</userinput></para>
321 </listitem>
322 <listitem>
323 <para>Second, change the <command>"secret=12345:-)"</command> statement in the <filename>clients.conf.</filename> No further actions are needed since all communications in this configuration are going through the <interface>looback</interface> address that is configured by default.</para>
324 </listitem>
325 <listitem>
326 <para>Third, copy the <filename>rc.radiusd</filename> script from the <filename>freeradius-server-2.1.11/scripts</filename> to <filename>/etc/rc.d/</filename>. Run the first tests of your newly installed RADIUS server with <command>"radiusd -X"</command>. Once you are satisfied, insert the line "<command>/etc/rc.d/rc.radiusd start</command>" in the <filename>"/etc/rc.d/rc.local"</filename> file. Create the file <filename>"/etc/rc.d/rc.local_shutdown"</filename>, make it executable and put the corresponding "<command>/etc/rc.d/rc.radiusd stop</command>" in it. From now on, if there are problems with RADIUS you will look in <filename>/usr/local/var/log/radius</filename>. There is also a lot of authentication related information in <filename>/usr/local/var/log/radius/radacct/127.0.0.1</filename>.
327 </para>
328 </listitem>
329 <listitem>
330 <para>Finally, the default self-signed certificates generated during the installation in <filename>"/usr/local/etc/raddb/certs"</filename> are good, but if you want your self-signed certificates to show something different you can generate your own. All of the certificates are located in the RADIUS sub-directory <filename>"certs"</filename>.</para>
331 </listitem>
332 </itemizedlist>
333 </sect2>
334 <sect2>
335 <title>Necessary:</title>
336 <itemizedlist spacing="compact">
337 <listitem>
338 <para><orgname>MadWifi project</orgname></para>
339 <para><ulink url="http://madwifi-project.org/">http://madwifi-project.org/</ulink></para>
340 </listitem>
341 <listitem>
342 <para>hostapd: IEEE 802.11 AP, IEEE 802.1X/WPA/WPA2/EAP/RADIUS Authenticator</para>
343 <para><ulink url="http://hostap.epitest.fi/hostapd/">http://hostap.epitest.fi/hostapd/</ulink>.</para>
344 </listitem>
345 </itemizedlist>
346 <para>I used <application>
347 <application>hostapd-0.7.3</application>
348 </application> and <application>madwifi-0.9.4-r4167-20110827</application>.</para>
349 <para><emphasis role="bold">First</emphasis>, I installed <application>MadWifi</application> since there is a remark about hostapd in <filename>README-WPS</filename> mentioning that <application>hostapd</application> needs specifications about the location of the <application>MadWifi</application> libraries. All the instructions for installing <application>MadWifi</application> are found within the <filename>INSTALL</filename> file of the source. Look in the <filename>README</filename> file in the source for the necessary kernel configuration. Make the necessary changes in your kernel or simply use my kernel <ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=kernel.config.2.6.38.7">.config</ulink>. The only thing not mentioned that I thought necessary to do is to enter "<command>make install</command>" at the end, simply to be sure all is on place.</para>
350 <para><emphasis role="bold">Second</emphasis> I installed <application>hostapd</application>. Here comes the most sophisticated part of the whole installation. Within the source directory (wherever you extracted it), there is a subdirectory <filename>hostapd</filename>. You need a <filename>.config</filename> file in order to compile the file. Copy the <filename>defconfig</filename> file to the <filename>.config</filename> file in the same directory and then edit the <filename>.config</filename> file. Its editing depends on the configuration that you want to build and types of authentication that you plan to support. There are many important options that need consideration when editing the <filename>.congif</filename> file. For example, do you want RADIUS and if yes with what kind of support etc. These are the changes I made to my .config:</para>
351 <para><screen>CONFIG_DRIVER_MADWIFI=y
352 CFLAGS += -I/tmp/2/madwifi-0.9.4-r4167-20110827 # change to the madwifi source directory
353 CONFIG_DRIVER_NL80211=y
354 CONFIG_WPS=y
355 CONFIG_WPS_UPNP=y
356 CONFIG_RADIUS_SERVER=y
357 CONFIG_IEEE80211R=y
358 CONFIG_DRIVER_RADIUS_ACL=y
359 CONFIG_IEEE80211N=y</screen></para>
360 <para>And here is the link to get my <filename>.config</filename> which I called "<ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=hostapd.config">hostapd.config</ulink>" to avoid confusion with the kernel <filename>.config</filename>. Copy it in the <filename>hostapd</filename> subdirectory and rename it <filename>.config</filename> and then "<command>make</command>", "<command>make install</command>". Change the path to the <application>MadWifi</application> libraries depending on your installation location choice.<screen>CFLAGS += -I/tmp/2/madwifi-0.9.4-r4167-20110827</screen>I strongly recommend reading my file and also the <filename>README</filename> and <filename>README-WPS</filename> that are in the same directory even if you simply decide to use my configuration file. This will give you better understanding and may also spark ideas for interesting experiments. If you decide to dig deeper, check the dependencies between the variables in the <filename>Makefile</filename> "ifdef constructions". Follow the "Matrix" movie's advice and "Go to the source".</para>
361 <para>Create the <filename>/etc/hostapd/</filename> directory and copy in it at least the <filename>hostapd.conf</filename> file (do not confuse it with my <filename>hostapd.config</filename> it is a copy of my <filename>.config</filename> for <filename>hostapd</filename>) from the source directory. This is the changes for configuration (a.):
362 <screen>#driver=madwifi
363 #ctrl_interface_group=0
364 #ssid=test
365 ssid=Acer_A1
366 hw_mode=g
367 channel=11
368 ieee8021x=1
369 eapol_key_index_workaround=1
370 nas_identifier=komsalov.homelinux.org
371 auth_server_addr=127.0.0.1
372 auth_server_port=1812
373 auth_server_shared_secret=12345:-)
374 acct_server_addr=127.0.0.1
375 acct_server_port=1813
376 acct_server_shared_secret=12345:-)
377 wpa=1
378 wpa_key_mgmt=WPA-EAP
379 wpa_pairwise=TKIP
380 wpa_group_rekey=300
381 wpa_gmk_rekey=640
382 bss=wlan0_0
383 ssid=Welcome</screen></para>
384 <para>You may need to copy some other files and eventually create some if you decide to change the configuration and of course fix the path to them in <filename>hostapd.conf</filename>. Here is my <filename>hosapd.conf</filename> for the network configuration (a.). It can be used as it is, the only absolutely necessary change is to put your RADIUS secret.
385 <screen>auth_server_shared_secret=12345:-)
386 acct_server_shared_secret=12345:-)</screen></para>
387 <para>At first run <application>hostapd</application> in the terminal, like that:
388 <screen>/usr/local/bin/hostapd -dd /etc/hostapd/hostapd.conf</screen></para>
389 <para>You can either start directly with my file or with the example file from the source directory first. The example file will create one open network with <command>ssid=test</command>, giving you some confidence. It is a good idea to begin like this before setting up the DHCP server and eventually masquerading with the firewall. This will help you pinpoint the problems that need to be fixed. If you start two or more encrypted ssid's, DHCP, DNS and the firewall at once, it will be harder to identify the source of the eventual problems. It will also be good to test the configuration with any wireless client, but Windows, even a simple iPod would be better. Configuring Windows to work with RADIUS self-signed keys for WPA is a bit tricky and it is hard to pinpoint what gives you the problem, the client or the AP. There are two things you may consider here: to use CCMP instead of TKIP and to switch from WPA to WPA2. I decided to leave this decision for configuration (c.), because this is the one I will keep until I can afford to dedicate my Aspire to configuration (b.).</para>
390 <para>You can get the <filename>rc.hostapd</filename> from <ulink url="http://slackbuilds.org/repository/13.0/network/hostapd/">http://slackbuilds.org/repository/13.0/network/hostapd/</ulink>, after you get bored looking on the <application>hostapd</application> in a terminal and running it manually. Put the <filename>rc.hostpd</filename> in the <filename>/etc/rc.d</filename> directory, fix the paths in it, call it from <filename>/etc/rc.d/rc.local</filename> and stop it from <filename>rc.local_shutdown</filename>.</para>
391 <para>At this state your rc.local should look like this:
392 <screen>#!/bin/sh
393 #
394 # /etc/rc.d/rc.local: Local system initialization script.
395 #
396 # Put any local startup commands in here. Also, if you have
397 # anything that needs to be run at shutdown time you can
398 # make an /etc/rc.d/rc.local_shutdown script and put those
399 # commands in there.
400
401
402 /etc/rc.d/rc.radiusd start
403
404
405 /sbin/ifconfig wlan0 up
406 /sbin/iwconfig wlan0 channel auto
407
408
409 route add default gw 192.168.1.1
410
411
412 /sbin/ifconfig wlan0 192.168.11.1
413
414
415 /etc/rc.d/rc.hostapd start
416
417
418 /sbin/ifconfig wlan0_0 172.17.0.1
419
420
421 /usr/sbin/dhcpd wlan0 wlan0_0
422
423
424 #EOF</screen></para>
425 <para>And your rc.local_shutdown:
426 <screen>#!/bin/sh
427 #
428
429 /etc/rc.d/rc.hostapd stop
430
431
432 /etc/rc.d/rc.radiusd start
433
434 #EOF</screen></para>
435 <para>The "<command>/sbin/ifconfig wlan0 up ; /sbin/iwconfig wlan0 channel auto</command>" commands in <filename>rc.local</filename> should not be necessary, but if you do not give them you will get an error when <application>hostapd</application> sets the channel.</para>
436 <para>Here is my simple dhcpd.conf file:<screen>
437
438 authoritative;
439 ddns-update-style none;
440
441
442 default-lease-time 604800;
443 # 7 days 7*86400
444
445
446 max-lease-time 2592000;
447 # 30 days 30*86400
448
449
450 subnet 192.168.11.0 netmask 255.255.255.0 {
451 range 192.168.11.10 192.168.11.100;
452 range 192.168.11.150 192.168.11.200;
453
454
455 option domain-name "mydomain.org";
456 option broadcast-address 192.168.11.255;
457 option routers 192.168.11.1;
458 option domain-name-servers 192.168.11.1, 207.164.234.193, 207.164.234.129;
459
460
461 }
462
463
464 subnet 172.17.0.0 netmask 255.255.0.0 {
465 range 172.17.0.10 172.17.255.250;
466
467
468 option domain-name "mydomain.org";
469 option broadcast-address 172.17.255.255;
470 option routers 172.17.0.1;
471 option domain-name-servers 172.17.0.1, 207.164.234.193, 207.164.234.129;
472
473
474 }
475
476
477 #log-facility local7;</screen></para>
478 <para>I decided to have a caching DNS server on the Aspire; it is not mandatory, but it is necessary to put your DNS servers in the <filename>dhcpd.conf</filename>.</para>
479 </sect2>
480 <sect2>
481 <title>Optional programs:</title>
482 <para><application>
483 <emphasis role="bold">Firewall builder</emphasis>
484 </application> by NetCitadel <ulink url="http://www.fwbuilder.org/">http://www.fwbuilder.org/</ulink>
485 Having a firewall is not exactly an option, but you will have to do some NAT with iptables anyway. Of course you may do it manually but I strongly recommend Firewall Builder. It is from my point of view by far the best firewall management solution on the market and is free on Linux. Here is a simple script <ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=acerap.fw">acerap.fw</ulink> generated with it for the configuration (a.), as an example. On Slackware, download the source and compile it and then run <command>ldconfig</command> after using "<command>make install</command>".</para>
486 <para><emphasis role="bold">Wireshark</emphasis> - <ulink url="http://www.fwbuilder.org/">http://www.wireshark.org/</ulink>
487 Wireshark is unnecessary for the current configuration, but at some moment you certainly will want to know what is going on. As you are anyway in the process of downloading and compiling, install it to have it on hand when necessary. I recommend that you put at least "<command>./configure --enable-threads</command>" if no other option. It improves performance and the program remains stable.</para>
488 </sect2>
489 </sect1>
490 <sect1>
491 <title>Configuration <emphasis role="bold">(b.)</emphasis> - VLAN's and switches</title>
492 <para>For this configuration I used a Cisco Catalyst 2900 XL switch. I am on Bell Sympatico ADSL with SpeedStream 5360 Ethernet ADSL modem, which is actually only a bridge. It turned out that it does not matter how I configured the port of the Cisco Catalyst, it did not detect the SpeedStream. Finally, I gave up and used one small 5 port TrendNet TE100-SS/CA switch in between them. Since all SpeedStream 5360's are gone nowadays, you probably will not have this problem. DSL modems nowadays are actually routers and have integrated PPPoE support and for this configuration it is only necessary to VLAN the switch and <interface>eth0</interface>. I used a Cisco Catalyst (which is actually not so bad) only because this is what I managed to borrow, but if you are thinking of buying a switch look for something better.</para>
493 <para>I configured two additional VLAN's on it:<screen>I configured two additional VLAN's on it:
494 VLAN Name Status Ports
495 ---- -------------------------------- --------- -------------------------------
496 1 default active Fa0/2, Fa0/3, Fa0/4, Fa0/5,
497 Fa0/6, Fa0/7, Fa0/8, Fa0/13,
498 Fa0/14, Fa0/15, Fa0/16, Fa0/20,
499 Fa0/21, Fa0/22, Fa0/23, Fa0/24
500 2 VLAN0002 active Fa0/9, Fa0/10, Fa0/11, Fa0/12
501 3 VLAN0003 active Fa0/17, Fa0/18, Fa0/19</screen></para>
502 <para>Port FA01 is a tagged port. I am not giving the detailed commands to set it up, since they will depend on whatever switch model you have.</para>
503 <para>From the side of Linux it is really easy; type the commands:<screen>ifconfig eth0 0.0.0.0</screen>(to remove the IP address from <interface>eth0</interface>)<screen>ip link add link eth0 name eth0.1 type vlan id 1
504 ip link add link eth0 name eth0.2 type vlan id 2
505 ifconfig eth0.1 up
506 ifconfig eth0.2 up</screen></para>
507 <para>Of course in "vlan id NN" the NN will have to be replaced with your VlanID. In my case the new IP addresses are set back like this:<screen>ifconfig eth0.1 0.0.0.0
508 ifconfig eth0.2 192.168.1.55 netmask 255.255.255.0</screen></para>
509 <para>If you like you can go with something more traditional like 192.168.1.1 for your future default gateway. I used <interface>eth0.1</interface> as the uplink. If you want your physical wireless and wired networks to be in the same network, to mimic the behavior of the commercial routers, you can bridge <interface>eth0.2</interface> and <interface>wlan0</interface>. Check configuration (c.) below for help with bridging. The only real reason you may want this is to use <trademark>Microsoft </trademark>workgroup network, though in this case you should consider installing Samba as a master browser on the Aspire.</para>
510 <para>In my case I had to setup PPPoE by running the <filename>pppoe-setup</filename> script. This will not be necessary for most people, but if it is for you than pay attention to the last question (asked by the <filename>pppoe-setup</filename> script) and answer it depending on the firewall management you choose. You may encounter additional MTU auto discovery problems with Internet providers such as Bell Sympatico. If it turns out that you are able to ping external machines, but browsing barely works if at all, you will have to use some commands like the next one in your firewall script:<screen>iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu</screen>In case you decide to use the Firewall Builder, it is only a matter of checking the check box "<menuchoice>
511 <guimenuitem>Clamp MSS to MTU</guimenuitem>
512 </menuchoice>" in firewall settings. If you want to know more about this problem check "Linux Advanced Routing & Traffic Control HOWTO".</para>
513 <para>I implemented the configuration with a manageable switch rather than the one with the USB to Ethernet converter, since to start with I have no such device. The second problem with such devices is actually making them work. Finally I have difficulties believing the advertised speeds of all USB to Ethernet converters that the manufacturers claim.</para>
514 </sect1>
515 <sect1>
516 <title>Configuration <emphasis role="bold">(c.)</emphasis> - bridging</title>
517 <para>I chose to stay with this configuration for now, since it allows me to pull my Aspire out of the network from time to time without loosing Internet connectivity. When travelling, I use my Aspire as a GPS device in combination with a USB connected satellite antenna.</para>
518 <para>These are the commands given in the necessary order placed inside the <filename>/etc/rc.d/rc.local</filename> file:<screen>#!/bin/sh
519 #
520 # /etc/rc.d/rc.local: Local system initialization script.
521 #
522 # Put any local startup commands in here. Also, if you have
523 # anything that needs to be run at shutdown time you can
524 # make an /etc/rc.d/rc.local_shutdown script and put those
525 # commands in there.
526
527 /etc/rc.d/rc.radiusd start
528
529 /sbin/ifconfig wlan0 up
530 /sbin/iwconfig wlan0 channel auto
531
532 /etc/rc.d/rc.hostapd start
533
534 /sbin/ifconfig wlan0_0 172.17.0.1
535
536 /sbin/ifconfig eth0 up
537 /sbin/ifconfig wlan0 up
538
539 /usr/sbin/brctl addbr br0
540 /sbin/ifconfig br0 up
541 /usr/sbin/brctl addif br0 eth0
542 /usr/sbin/brctl addif br0 wlan0
543
544 /sbin/ifconfig br0 192.168.1.55
545
546 /sbin/route add default gw 192.168.1.1
547
548 /usr/sbin/dhcpd wlan0_0
549
550 /etc/rc.d/firewall/acerap_br.fw
551 /etc/rc.d/rc.traffic_shaping start
552
553 /etc/rc.d/rc.bind restart
554
555 #EOF</screen></para>
556 <para>The part that concerns bridging is in bold. Bridging on Linux is really easy and it should not cause you any troubles. The spanning tree should be off as it is by default. Turn it on only if you really know what you are doing.
557 The dhcpd is bound only to the <interface>wlan0</interface> to serve 172.17.0.0/16 addresses to the Welcome network. The network with the Acer_A1 ssid is getting its IP addresses from the "Linksys SRX 200" DHCP server trough the bridge (it transfers broadcasts transparently).
558 The <filename>
559 <ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=rc.traffic_shaping">rc.traffic_shaping</ulink>
560 </filename> script is for traffic shaping which turned out to be necessary, because some of the clients in Welcome misbehaved (see 6. Additional administrative tasks).</para>
561 <para>Of course you will need a firewall as well, so here is the <ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=acerap_br.fwb">acerap_br.fwb</ulink> file created with the FWbuilder project and the script <ulink url="http://wiki.tldp.org/KrastyoKomsalov?action=AttachFile&do=get&target=acerap_br.fw">acerap_br.fw</ulink> it generated, really basic, but a good starting point.
562 I decided to switch to WPA2 after using this configuration for about one month. This required only a change of <varname>wpa=1</varname> in <filename>/etc/hostapd.conf</filename> to <varname>wpa=2</varname> and a restart of the hostapd. I was worried about the amount of work necessary to reconfigure all clients, but it turned out that only some small changes to the Windows clients are required.</para>
563 </sect1>
564 <sect1>
565 <title>Clients setup - WPA and WPA2 with self-signed certificates.</title>
566 <sect2>
567 <title>Linux.</title>
568 <para>Slackware comes with <application>Wicd</application> in <filename>/Slackware/slackware-current/extra/wicd</filename> directory and it works fine, so simply install it. Most other collections seem to be using <application>NetworkManager</application>, but anyway there are no problems.</para>
569 </sect2>
570 <sect2>
571 <title>Mac OS X 10.7.2</title>
572 <para>When I first tried to connect it showed a message stating that the certificate is not from a known authority and offered me a check box to accept it permanently, then it asked for the <varname>username</varname> and <varname>password</varname> and worked fine after. There is a key management program in Mac OS's utilities called <application>Key Chain Access</application>. Here I marked the certificate as trusted and it became green. I am not sure if this was necessary, but I wanted to be on the safe side. I found an instruction that recommended installing manually and in advance the certificate, but it turned out that Mac does it for you. When you decide to use WPA2 there will be no need to even touch a Mac. It detects the change in the access point and reacts accordingly by readjusting its settings and even reusing the <varname>username</varname> and <varname>password</varname> from the previous configuration.</para>
573 </sect2>
574 <sect2>
575 <title>Itouch.</title>
576 <para>I asked my son to do it, since I only have second hand experience with those devices. Besides I did not want to look for my glasses. It behaved the same way as the Mac, it asked me to accept the certificate and then asked me for the <varname>username</varname> and <varname>password</varname>.</para>
577 </sect2>
578 <sect2>
579 <title>Windows 7</title>
580 <para>Do not expect to get a question about the certificate at this point. You will have to install the certificate in advance by yourself. Go to <filename>/usr/local/etc/raddb/certs/</filename> to get it, I used a USB stick. The instructions, I found online, are to create the connection manually and install the certificate as soon as the network connection setuping wizard reaches the point of asking you for them. This did not help and Windows continued to complain about the certificate. I installed it through the Internet options section within the Control Panel, but this did not help either. I played with the check boxes "the best Windows approach isn't it?", and did some googling. Suddenly it worked and when I tried to connect asked me to accept the certificate (the same one which I installed and marked in advance as trusted in all the possible places!!!) This is the picture with the certificate's options.</para>
581 <graphic fileref="Windows_WPA_setup_576.jpg"/>
582 <para>As if this is not enough you need to do the same for all the users on each Windows machine, even with the same laptop the procedure for each user will be similar but unique.
583 The only advice I have is to be persistent and it will work. If you google the problem you will find that some people simply got around the problem by buying certificates obviously it comes cheaper for big number of laptops, but maybe quitting Windows is better.</para>
584 <para>If you decide to use WPA2 Windows 7 will work fine, but it will not detect the change automatically. The properties change shown on the the picture above will work. The encryption should remain TKIP. Windows 7 will ask for the <varname>username</varname> and <varname>password</varname> and then it should work fine.</para>
585 </sect2>
586 </sect1>
587 <sect1>
588 <title>Additional administrative tasks you may consider necessary.</title>
589 <sect2>
590 <title>Limit bad clients - bit torrent.</title>
591 <para>It did not take more than a couple of days for around thirty of my neighbors to start using the open "Welcome" network. Most of them turned to being modest doing mostly mail and some surfing, but two or three <application>bittorrent</application> fans turned out to be a problem. If you decide to provide some Internet for your neighbors you certainly should do something about this problem.</para>
592 <para>You have at least two options: l7-filter from <ulink url="http://l7-filter.clearfoundation.com/">http://l7-filter.clearfoundation.com/</ulink> and ipp2p from <ulink url="http://www.ipp2p.org/">http://www.ipp2p.org/</ulink>. During one time or another I used both of them and the results are relatively similar. I still prefer <application>ipp2p</application> as I believe it is less CPU consuming. The project web page claims that the project is discontinued. This is not exactly true, it is only discontinued as a separate project for the external module. It was moved to <application>patch-o-matic</application> which is today defunct. Nowadays after netfilter.org discontinued <application>patch-o-matic</application>, it was moved to <application>xtables-addons</application> and netfilter.org is still support it. First, do not forget to install <application>libmnl</application> from <ulink url="http://www.netfilter.org/projects/xtables-addons/index.html">http://www.netfilter.org/projects/xtables-addons/index.html</ulink> and then the <application>xtables-addons</application>. Then you will need something like this:<screen> $IPTABLES -N Bittorrent
593 $IPTABLES -t mangle -N Bittorrent
594 $IPTABLES -t mangle -A PREROUTING -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
595 $IPTABLES -A INPUT -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
596 $IPTABLES -A OUTPUT -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
597 $IPTABLES -A FORWARD -s 172.17.0.0/16 -m ipp2p --bit -j Bittorrent
598 $IPTABLES -A Bittorrent -j LOG --log-level info --log-prefix "Bittorrent "
599 $IPTABLES -t mangle -A Bittorrent -j LOG --log-level info --log-prefix "Bittorrent m "
600 $IPTABLES -A Bittorrent -j DROP
601 $IPTABLES -t mangle -A Bittorrent -j DROP</screen></para>
602 <para>Most of these commands are unnecessary, just doing:
603 <screen>iptables -t mangle -A PREROUTING -s 172.17.0.0/16 -m ipp2p --bit -j DROP</screen>
604 will do most of the job. You simply put it before the line
605 <screen>iptables -A XXXXX -m state --state ESTABLISHED,RELATED -j ACCEPT</screen>
606 to get it working.</para>
607 <para>Anyway, do not expect too much from it, or from <application>l7-filter</application> for that matter. They will slow down <application>bittorrent</application> clients significantly, but both have problems recognizing encrypted connections. At least the <application>bittorrent</application> clients for sure will not be able to kill anymore all other connections. If you are not satisfied with the results of the solution just described you should combine it with traffic shaping (next paragraph).</para>
608 </sect2>
609 <sect2>
610 <title>Traffic shaping</title>
611 <para>The decision to spend time to setting up and fine tuning traffic shaping depends on: the type of Internet connection used, the number of clients you have, their behavior and most important, will you provide some Internet for your neighbors.</para>
612 <para>If you have a relatively fast and symmetric connection you have nothing to worry about, but if you are on something like ADSL and your provider has an illicit behavior than moving the queue to your machine makes a real difference. You can read about the reasons for getting control over your queue here "<ulink url="http://lartc.org/howto/lartc.cookbook.ultimate-tc.html">The Ultimate Traffic Conditioner</ulink>".</para>
613 <para>It is important to mention that since "<ulink url="http://lartc.org/howto/index.html">Linux Advanced Routing & Traffic Control HOWTO</ulink>" was written, lots of things have changed, though probably the most important new thing in the field of traffic shaping is the "<ulink url="http://lartc.org/howto/index.html">Intermediate Functional Block device</ulink>". A lot of work has been done in the field and you have to be really careful when you are doing your own research since many of the online documentations and examples are outdated. Most examples will still work fine, but often better solutions have been developed.</para>
614 <para>My traffic shaping script had the following goals:</para>
615 <orderedlist numeration="loweralpha">
616 <listitem>
617 <para>Move the queue to my machine.</para>
618 </listitem>
619 <listitem>
620 <para>Provide fairness between both my family clients and guests in the "Welcome" network.</para>
621 </listitem>
622 <listitem>
623 <para>Give a warranted advantage to my own clients, leaving the clients in "Welcome" with what is left, while at the same time warranting some bandwidth for Welcome even in moments of heavy load. My Internet connection is actually 99% unused anyway, but I did not want to listen to complaints from my family.</para>
624 </listitem>
625 <listitem>
626 <para>Have a method to separate clients that misbehave from the crowd.</para>
627 </listitem>
628 </orderedlist>
629 <para>Here is the resulting script rc.traffic_shaping. It does what I wanted it to, but is certainly not perfect and will require additional fine-tuning. Anyway you will have to readjust it to your conditions.</para>
630 <para>One important thing that needs to be mentioned is that limiting the outgoing traffic from a specific source, does not lead to proportional limitation to the incoming traffic. Most streaming protocols require small amounts of outgoing requests in order to get real floods of incoming video. As a result even class 1:13 (this is where baddies go), can seem too restrictive with its "rate 10kbit burst 15kbit", but it actually gives them around 600kbits of download speed. This demonstrates that in order to have precise control you need to shape incoming connections as well.</para>
631 <para>Next is the chart of outgoing traffic shaping.</para>
632 <para>The traffic goes as follow:</para>
633 <simplelist>
634 <member>From Acer_A1 ->1:11</member>
635 <member>From Welcome -> 1:12</member>
636 <member>Bad clients -> 1:13</member>
637 <member>Between may cable clients and Acer_A1 -> 1:2</member>
638 </simplelist>
639 <para>For example the traffic is classified by <command>iptables</command> with rules like this:</para>
640 <para><command>iptables -t mangle -A POSTROUTING -s 192.168.1.0/24 -d 192.168.1.0/24 -j CLASSIFY --set-class 1:2</command>
641
642 </para>
643 <para>You can see how I set the classes in "Policy: Traffic_Control" in <filename>acer_br.pdf</filename> or check the detailed syntax inside the <filename>acerap_br.fw</filename> script.</para>
644 <graphic fileref="outgoing_traffic_shaping.jpg"/>
645 <para>The next picture represents the chart of incoming traffic shaping.</para>
646 <para>The traffic goes as follow:</para>
647 <simplelist>
648 <member>To Acer_A1 ->1:31</member>
649 <member>From Welcome -> 1:32</member>
650 <member>Bad clients -> 1:33 - nobody is there yet, but it is ready:-).</member>
651 <member>Between may cable clients and Acer_A1 -> 1:4</member>
652 </simplelist>
653 <graphic fileref="incoming_traffic_shaping.jpg"/>
654 <para>The first step in shaping the outgoing traffic is to get the <interface>ifb0</interface> <ulink url="http://lartc.org/howto/index.html">Intermediate Functional Block device</ulink>" working. It turned out that the module does not load automatically, but I rather loaded it in the <filename>rc.traffic_shaping</filename> script by: <screen>/sbin/modprobe ifb
655 ifconfig ifb0 up</screen></para>
656 <para>The next problem is really interesting look at the part of the rc.traffic_shaping script pasted below:</para>
657 <programlisting>##############################
658 # It is necessary to mirror both eth0 and br0 to ifb0 in order to have both traffics
659 # with destinations 172.17.0.0/16 and 192.168.1.0/24,
660 # because each of them sees only one destination as outgoing.
661 # You may check it by remarking one of the mirrors and the running WireShark on ifb0.
662
663
664 tc filter add dev $DEV parent ffff: protocol ip prio 10 u32 \
665 match ip dst 0.0.0.0/0 flowid 1: \
666 action mirred egress redirect dev ifb0
667
668
669 tc filter add dev br0 parent ffff: protocol ip prio 10 u32 \
670 match ip dst 0.0.0.0/0 flowid 1: \
671 action mirred egress redirect dev ifb0
672 ##############################</programlisting>
673 <para>The $DEV=eth0 is set at the beginning of the script.
674 There is probably a better way of directing traffic to ifb0, but this is the only way that works for me.
675 You will need the following commands, to investigate and adjust the script to your own needs:</para>
676 <programlisting>tc class ls dev eth0
677
678
679 tc class ls dev ifb0
680
681
682 tc -s -d qdisc show dev eth0
683
684
685 tc -s -d qdisc show dev ifb0
686
687
688 tc -s class show dev eth0</programlisting>
689 </sect2>
690 <sect2>
691 <title>Cache DNS server.</title>
692 <para>Having a cache DNS server was a great advantage in the time when everyone thought that a 28'800 modem is lighting fast. With today's speed the percentage of economized bandwidth is close to zero, but it is so easy to install, and besides old habits die hard. Just make <filename>/etc/rc.d/rc.bind</filename> executable. Slackware has a <filename>/etc/named.conf</filename> pre-ready. It is a good idea to setup regular updates of named.root by simply creating the script <filename>/etc/cron.monthly/named.root</filename> and putting the following two commands in it:<programlisting>#!/bin/sh
693 #
694 /usr/bin/wget --user=ftp --password=ftp \
695 http://www.internic.net/zones/named.root \
696 -O /var/named/caching-example/named.root
697 /etc/rc.d/rc.bind restart</programlisting></para>
698 </sect2>
699 <sect2>
700 <title>Log configuration.</title>
701 <para><emphasis role="bold">The dhcpd log</emphasis> can be moved to separate files by three simple steps:</para>
702 <para>Putting the next line at the end of the <filename>dhcpd.conf</filename><programlisting>log-facility local7;</programlisting></para>
703 <para>Append at the end of <filename>/etc/syslog.conf</filename> the line</para>
704 <programlisting>local7.* -/var/log/dhcpd.log</programlisting>
705 <para>Create an empty dhcpd.log by:<programlisting>:> /var/log/dhcpd.log</programlisting></para>
706 <para>Of course dhcpd and syslogd need to be restarted.</para>
707 <para><emphasis role="bold">iptables log.</emphasis> It is a tempting idea to move the <command>iptables</command> log in a separate file if you use Firewall Builder or just enjoy having extensive logs from your firewall. The complication here comes from the limited choice of "<option>--log-level X</option>" available. As a result, the kernel (and not the iptables) is in reality doing all the filtering thus all logs go in log facility "<emphasis role="bold">kern.*</emphasis>". The choice for * is limited between those levels "<emphasis role="bold">0 emerg, 1 alert, 2 crit, 3 err, 4 warning, 5 notice, 6 info, 7 debug</emphasis>". Besides "<emphasis role="bold">crit</emphasis>" is the default level for <filename>klogd</filename> to send messages to the console so whatever goes on this level inevitably goes on the console as well. You may experiment with other levels or try changing "<command>klogd -c 3</command>" to something else.</para>
708 <para>Everything else is simple after these difficult choices are made.</para>
709 <para>First either change the log level setting in Firewall Builder, or if you wrote your own script set it to something like "<parameter>-j LOG --log-level warn --log-prefix "my log text"</parameter>".</para>
710 <para>After this is done, append at the end of <filename>/etc/syslog.conf</filename> the line:</para>
711 <programlisting>kern.=warn -/var/log/fwbuilder.log</programlisting>
712 <para>and exclude it from</para>
713 <programlisting>*.warn;kern.!=warn;\
714 authpriv.none;cron.none;mail.none;news.none -/var/log/syslog</programlisting>
715 <para>If you decide to experiment with other levels, for example "<emphasis role="bold">notice</emphasis>", change the line like this:</para>
716 <programlisting>kern.=notice /var/log/fwbuilder.log</programlisting>
717 <para>But in the case of "<emphasis role="bold">notice</emphasis>" you will also have to exclude "<emphasis role="bold">kern.notice</emphasis>" from <filename>/var/log/messages</filename> by editing the related line in <filename>syslog.conf</filename> in a similar way yielding the line:</para>
718 <programlisting>*.info;*.!warn;kern.!=notice;\
719 authpriv.none;cron.none;mail.none;news.none -/var/log/messages</programlisting>
720 <para>There is no perfect choice and some of your boot messages will always go to <filename>fwbuilder.log</filename> instead of going in to the messages or syslog files. The biggest problem are the eventual error messages generated during the normal course of work, which will be buried in the <filename>fwbuilder.log</filename>.</para>
721 <para>If you want see what else goes on in the /var/log/fwbuilder.log and iptables logs, the next command will help you:</para>
722 <programlisting>cat /var/log/fwbuilder.log |grep RULE -v</programlisting>
723 </sect2>
724 </sect1>
725 <sect1>
726 <title>Some final words.</title>
727 <para>Over a month passed, since I started writing this document, while creating the access point took me only three days.</para>
728 <para>During the time being the AP did not drop one connection, while providing coverage over almost a 100 meter diameter. No timeout error messages occurred, which was so common for the "Linksys SRX 200" router.</para>
729 <para>Over 30 of my neighbors started using it more or less heavily and some really heavily.</para>
730 <para>For example, while writing this:</para>
731 <screen>root@acer:/var/log# cat /proc/net/ip_conntrack |grep tcp -c
732 565
733 root@acer:/var/log# cat /proc/net/ip_conntrack |grep udp -c
734 76</screen>
735 <graphic fileref="iptraf_low.jpg" format="JPG" scale="75"/>
736 <para>And even in a moment of heavy load, like below, not only does the network remain stable, but it also provides a descent speed for everyone.</para>
737 <graphic fileref="iptraf.jpg" format="JPG" scale="55"/>
738 <para>Now I have comprehensive log files like:</para>
739 <screen>Nov 21 21:29:49 acer kernel: [420579.216945] RULE 3 -- CONTINUE IN=wlan0_0 OUT=br0
740 SRC=172.17.128.154 DST=173.194.31.138 LEN=40 TOS=0x00 PREC=0x00 TTL=63 ID=58669
741 DF PROTO=TCP SPT=49604 DPT=80 WINDOW=0 RES=0x00 RST URGP=0</screen>
742 <para>All in all I am satisfied with the outcome. It was worth the effort, and the result surpassed the best of all my expectations.</para>
743 </sect1>
744 <!-- If you had a second appendix in an external file, you would call it
745 here with the following: --><!-- This exactly matches the word you used at the very top of the
746 document. Use whatever word makes sense to you so long as it only uses
747 letters, underscores and hyphens. --> <appendix id="gfdl">
748 <title>GNU Free Documentation License</title>
749 <!-- - GNU Project - Free Software Foundation (FSF) --><!-- LINK REV="made" HREF="mailto:webmasters@gnu.org" --><!-- http://www.gnu.org/copyleft/fdl.html --> <sect1>
750 <title>GNU Free Documentation License</title>
751 <para>Version 1.1, March 2000</para>
752 <blockquote>
753 <para>Copyright (C) 2000 Free Software Foundation, Inc.
754 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
755 Everyone is permitted to copy and distribute verbatim copies
756 of this license document, but changing it is not allowed.</para>
757 </blockquote>
758 </sect1>
759 <sect1 id="gfdl-0">
760 <title>PREAMBLE</title>
761 <para>The purpose of this License is to make a manual, textbook,
762 or other written document "free" in the sense of freedom: to
763 assure everyone the effective freedom to copy and redistribute it,
764 with or without modifying it, either commercially or
765 noncommercially. Secondarily, this License preserves for the
766 author and publisher a way to get credit for their work, while not
767 being considered responsible for modifications made by
768 others.</para>
769 <para>This License is a kind of "copyleft", which means that
770 derivative works of the document must themselves be free in the
771 same sense. It complements the GNU General Public License, which
772 is a copyleft license designed for free software.</para>
773 <para>We have designed this License in order to use it for manuals
774 for free software, because free software needs free documentation:
775 a free program should come with manuals providing the same
776 freedoms that the software does. But this License is not limited
777 to software manuals; it can be used for any textual work,
778 regardless of subject matter or whether it is published as a
779 printed book. We recommend this License principally for works
780 whose purpose is instruction or reference.</para>
781 </sect1>
782 <sect1 id="gfdl-1">
783 <title>APPLICABILITY AND DEFINITIONS</title>
784 <para>This License applies to any manual or other work that
785 contains a notice placed by the copyright holder saying it can be
786 distributed under the terms of this License. The "Document",
787 below, refers to any such manual or work. Any member of the
788 public is a licensee, and is addressed as "you".</para>
789 <para>A "Modified Version" of the Document means any work
790 containing the Document or a portion of it, either copied
791 verbatim, or with modifications and/or translated into another
792 language.</para>
793 <para>A "Secondary Section" is a named appendix or a front-matter
794 section of the Document that deals exclusively with the
795 relationship of the publishers or authors of the Document to the
796 Document's overall subject (or to related matters) and contains
797 nothing that could fall directly within that overall subject.
798 (For example, if the Document is in part a textbook of
799 mathematics, a Secondary Section may not explain any mathematics.)
800 The relationship could be a matter of historical connection with
801 the subject or with related matters, or of legal, commercial,
802 philosophical, ethical or political position regarding
803 them.</para>
804 <para>The "Invariant Sections" are certain Secondary Sections
805 whose titles are designated, as being those of Invariant Sections,
806 in the notice that says that the Document is released under this
807 License.</para>
808 <para>The "Cover Texts" are certain short passages of text that
809 are listed, as Front-Cover Texts or Back-Cover Texts, in the
810 notice that says that the Document is released under this
811 License.</para>
812 <para>A "Transparent" copy of the Document means a
813 machine-readable copy, represented in a format whose specification
814 is available to the general public, whose contents can be viewed
815 and edited directly and straightforwardly with generic text
816 editors or (for images composed of pixels) generic paint programs
817 or (for drawings) some widely available drawing editor, and that
818 is suitable for input to text formatters or for automatic
819 translation to a variety of formats suitable for input to text
820 formatters. A copy made in an otherwise Transparent file format
821 whose markup has been designed to thwart or discourage subsequent
822 modification by readers is not Transparent. A copy that is not
823 "Transparent" is called "Opaque".</para>
824 <para>Examples of suitable formats for Transparent copies include
825 plain ASCII without markup, Texinfo input format, LaTeX input
826 format, SGML or XML using a publicly available DTD, and
827 standard-conforming simple HTML designed for human modification.
828 Opaque formats include PostScript, PDF, proprietary formats that
829 can be read and edited only by proprietary word processors, SGML
830 or XML for which the DTD and/or processing tools are not generally
831 available, and the machine-generated HTML produced by some word
832 processors for output purposes only.</para>
833 <para>The "Title Page" means, for a printed book, the title page
834 itself, plus such following pages as are needed to hold, legibly,
835 the material this License requires to appear in the title page.
836 For works in formats which do not have any title page as such,
837 "Title Page" means the text near the most prominent appearance of
838 the work's title, preceding the beginning of the body of the
839 text.</para>
840 </sect1>
841 <sect1 id="gfdl-2">
842 <title>VERBATIM COPYING</title>
843 <para>You may copy and distribute the Document in any medium,
844 either commercially or noncommercially, provided that this
845 License, the copyright notices, and the license notice saying this
846 License applies to the Document are reproduced in all copies, and
847 that you add no other conditions whatsoever to those of this
848 License. You may not use technical measures to obstruct or
849 control the reading or further copying of the copies you make or
850 distribute. However, you may accept compensation in exchange for
851 copies. If you distribute a large enough number of copies you
852 must also follow the conditions in section 3.</para>
853 <para>You may also lend copies, under the same conditions stated
854 above, and you may publicly display copies.</para>
855 </sect1>
856 <sect1 id="gfdl-3">
857 <title>COPYING IN QUANTITY</title>
858 <para>If you publish printed copies of the Document numbering more
859 than 100, and the Document's license notice requires Cover Texts,
860 you must enclose the copies in covers that carry, clearly and
861 legibly, all these Cover Texts: Front-Cover Texts on the front
862 cover, and Back-Cover Texts on the back cover. Both covers must
863 also clearly and legibly identify you as the publisher of these
864 copies. The front cover must present the full title with all
865 words of the title equally prominent and visible. You may add
866 other material on the covers in addition. Copying with changes
867 limited to the covers, as long as they preserve the title of the
868 Document and satisfy these conditions, can be treated as verbatim
869 copying in other respects.</para>
870 <para>If the required texts for either cover are too voluminous to
871 fit legibly, you should put the first ones listed (as many as fit
872 reasonably) on the actual cover, and continue the rest onto
873 adjacent pages.</para>
874 <para>If you publish or distribute Opaque copies of the Document
875 numbering more than 100, you must either include a
876 machine-readable Transparent copy along with each Opaque copy, or
877 state in or with each Opaque copy a publicly-accessible
878 computer-network location containing a complete Transparent copy
879 of the Document, free of added material, which the general
880 network-using public has access to download anonymously at no
881 charge using public-standard network protocols. If you use the
882 latter option, you must take reasonably prudent steps, when you
883 begin distribution of Opaque copies in quantity, to ensure that
884 this Transparent copy will remain thus accessible at the stated
885 location until at least one year after the last time you
886 distribute an Opaque copy (directly or through your agents or
887 retailers) of that edition to the public.</para>
888 <para>It is requested, but not required, that you contact the
889 authors of the Document well before redistributing any large
890 number of copies, to give them a chance to provide you with an
891 updated version of the Document.</para>
892 </sect1>
893 <sect1 id="gfdl-4">
894 <title>MODIFICATIONS</title>
895 <para>You may copy and distribute a Modified Version of the
896 Document under the conditions of sections 2 and 3 above, provided
897 that you release the Modified Version under precisely this
898 License, with the Modified Version filling the role of the
899 Document, thus licensing distribution and modification of the
900 Modified Version to whoever possesses a copy of it. In addition,
901 you must do these things in the Modified Version:</para>
902 <orderedlist numeration="upperalpha">
903 <listitem>
904 <para>Use in the Title Page
905 (and on the covers, if any) a title distinct from that of the
906 Document, and from those of previous versions (which should, if
907 there were any, be listed in the History section of the
908 Document). You may use the same title as a previous version if
909 the original publisher of that version gives permission.</para>
910 </listitem>
911 <listitem>
912 <para>List on the Title Page,
913 as authors, one or more persons or entities responsible for
914 authorship of the modifications in the Modified Version,
915 together with at least five of the principal authors of the
916 Document (all of its principal authors, if it has less than
917 five).</para>
918 </listitem>
919 <listitem>
920 <para>State on the Title page
921 the name of the publisher of the Modified Version, as the
922 publisher.</para>
923 </listitem>
924 <listitem>
925 <para>Preserve all the
926 copyright notices of the Document.</para>
927 </listitem>
928 <listitem>
929 <para>Add an appropriate
930 copyright notice for your modifications adjacent to the other
931 copyright notices.</para>
932 </listitem>
933 <listitem>
934 <para>Include, immediately
935 after the copyright notices, a license notice giving the public
936 permission to use the Modified Version under the terms of this
937 License, in the form shown in the Addendum below.</para>
938 </listitem>
939 <listitem>
940 <para>Preserve in that license
941 notice the full lists of Invariant Sections and required Cover
942 Texts given in the Document's license notice.</para>
943 </listitem>
944 <listitem>
945 <para>Include an unaltered
946 copy of this License.</para>
947 </listitem>
948 <listitem>
949 <para>Preserve the section
950 entitled "History", and its title, and add to it an item stating
951 at least the title, year, new authors, and publisher of the
952 Modified Version as given on the Title Page. If there is no
953 section entitled "History" in the Document, create one stating
954 the title, year, authors, and publisher of the Document as given
955 on its Title Page, then add an item describing the Modified
956 Version as stated in the previous sentence.</para>
957 </listitem>
958 <listitem>
959 <para>Preserve the network
960 location, if any, given in the Document for public access to a
961 Transparent copy of the Document, and likewise the network
962 locations given in the Document for previous versions it was
963 based on. These may be placed in the "History" section. You
964 may omit a network location for a work that was published at
965 least four years before the Document itself, or if the original
966 publisher of the version it refers to gives permission.</para>
967 </listitem>
968 <listitem>
969 <para>In any section entitled
970 "Acknowledgements" or "Dedications", preserve the section's
971 title, and preserve in the section all the substance and tone of
972 each of the contributor acknowledgements and/or dedications
973 given therein.</para>
974 </listitem>
975 <listitem>
976 <para>Preserve all the
977 Invariant Sections of the Document, unaltered in their text and
978 in their titles. Section numbers or the equivalent are not
979 considered part of the section titles.</para>
980 </listitem>
981 <listitem>
982 <para>Delete any section
983 entitled "Endorsements". Such a section may not be included in
984 the Modified Version.</para>
985 </listitem>
986 <listitem>
987 <para>Do not retitle any
988 existing section as "Endorsements" or to conflict in title with
989 any Invariant Section.</para>
990 </listitem>
991 </orderedlist>
992 <para>If the Modified Version includes new front-matter sections
993 or appendices that qualify as Secondary Sections and contain no
994 material copied from the Document, you may at your option
995 designate some or all of these sections as invariant. To do this,
996 add their titles to the list of Invariant Sections in the Modified
997 Version's license notice. These titles must be distinct from any
998 other section titles.</para>
999 <para>You may add a section entitled "Endorsements", provided it
1000 contains nothing but endorsements of your Modified Version by
1001 various parties--for example, statements of peer review or that
1002 the text has been approved by an organization as the authoritative
1003 definition of a standard.</para>
1004 <para>You may add a passage of up to five words as a Front-Cover
1005 Text, and a passage of up to 25 words as a Back-Cover Text, to the
1006 end of the list of Cover Texts in the Modified Version. Only one
1007 passage of Front-Cover Text and one of Back-Cover Text may be
1008 added by (or through arrangements made by) any one entity. If the
1009 Document already includes a cover text for the same cover,
1010 previously added by you or by arrangement made by the same entity
1011 you are acting on behalf of, you may not add another; but you may
1012 replace the old one, on explicit permission from the previous
1013 publisher that added the old one.</para>
1014 <para>The author(s) and publisher(s) of the Document do not by
1015 this License give permission to use their names for publicity for
1016 or to assert or imply endorsement of any Modified Version.</para>
1017 </sect1>
1018 <sect1 id="gfdl-5">
1019 <title>COMBINING DOCUMENTS</title>
1020 <para>You may combine the Document with other documents released
1021 under this License, under the terms defined in section 4 above for
1022 modified versions, provided that you include in the combination
1023 all of the Invariant Sections of all of the original documents,
1024 unmodified, and list them all as Invariant Sections of your
1025 combined work in its license notice.</para>
1026 <para>The combined work need only contain one copy of this
1027 License, and multiple identical Invariant Sections may be replaced
1028 with a single copy. If there are multiple Invariant Sections with
1029 the same name but different contents, make the title of each such
1030 section unique by adding at the end of it, in parentheses, the
1031 name of the original author or publisher of that section if known,
1032 or else a unique number. Make the same adjustment to the section
1033 titles in the list of Invariant Sections in the license notice of
1034 the combined work.</para>
1035 <para>In the combination, you must combine any sections entitled
1036 "History" in the various original documents, forming one section
1037 entitled "History"; likewise combine any sections entitled
1038 "Acknowledgements", and any sections entitled "Dedications". You
1039 must delete all sections entitled "Endorsements."</para>
1040 </sect1>
1041 <sect1 id="gfdl-6">
1042 <title>COLLECTIONS OF DOCUMENTS</title>
1043 <para>You may make a collection consisting of the Document and
1044 other documents released under this License, and replace the
1045 individual copies of this License in the various documents with a
1046 single copy that is included in the collection, provided that you
1047 follow the rules of this License for verbatim copying of each of
1048 the documents in all other respects.</para>
1049 <para>You may extract a single document from such a collection,
1050 and distribute it individually under this License, provided you
1051 insert a copy of this License into the extracted document, and
1052 follow this License in all other respects regarding verbatim
1053 copying of that document.</para>
1054 </sect1>
1055 <sect1 id="gfdl-7">
1056 <title>AGGREGATION WITH INDEPENDENT WORKS</title>
1057 <para>A compilation of the Document or its derivatives with other
1058 separate and independent documents or works, in or on a volume of
1059 a storage or distribution medium, does not as a whole count as a
1060 Modified Version of the Document, provided no compilation
1061 copyright is claimed for the compilation. Such a compilation is
1062 called an "aggregate", and this License does not apply to the
1063 other self-contained works thus compiled with the Document, on
1064 account of their being thus compiled, if they are not themselves
1065 derivative works of the Document.</para>
1066 <para>If the Cover Text requirement of section 3 is applicable to
1067 these copies of the Document, then if the Document is less than
1068 one quarter of the entire aggregate, the Document's Cover Texts
1069 may be placed on covers that surround only the Document within the
1070 aggregate. Otherwise they must appear on covers around the whole
1071 aggregate.</para>
1072 </sect1>
1073 <sect1 id="gfdl-8">
1074 <title>TRANSLATION</title>
1075 <para>Translation is considered a kind of modification, so you may
1076 distribute translations of the Document under the terms of section
1077 4. Replacing Invariant Sections with translations requires
1078 special permission from their copyright holders, but you may
1079 include translations of some or all Invariant Sections in addition
1080 to the original versions of these Invariant Sections. You may
1081 include a translation of this License provided that you also
1082 include the original English version of this License. In case of
1083 a disagreement between the translation and the original English
1084 version of this License, the original English version will
1085 prevail.</para>
1086 </sect1>
1087 <sect1 id="gfdl-9">
1088 <title>TERMINATION</title>
1089 <para>You may not copy, modify, sublicense, or distribute the
1090 Document except as expressly provided for under this License. Any
1091 other attempt to copy, modify, sublicense or distribute the
1092 Document is void, and will automatically terminate your rights
1093 under this License. However, parties who have received copies, or
1094 rights, from you under this License will not have their licenses
1095 terminated so long as such parties remain in full
1096 compliance.</para>
1097 </sect1>
1098 <sect1 id="gfdl-10">
1099 <title>FUTURE REVISIONS OF THIS LICENSE</title>
1100 <para>The Free Software Foundation may publish new, revised
1101 versions of the GNU Free Documentation License from time to time.
1102 Such new versions will be similar in spirit to the present
1103 version, but may differ in detail to address new problems or
1104 concerns. See <ulink url="http://www.gnu.org/copyleft/">http://www.gnu.org/copyleft/</ulink>.</para>
1105 <para>Each version of the License is given a distinguishing
1106 version number. If the Document specifies that a particular
1107 numbered version of this License "or any later version" applies to
1108 it, you have the option of following the terms and conditions
1109 either of that specified version or of any later version that has
1110 been published (not as a draft) by the Free Software Foundation.
1111 If the Document does not specify a version number of this License,
1112 you may choose any version ever published (not as a draft) by the
1113 Free Software Foundation.</para>
1114 </sect1>
1115 <sect1 id="gfdl-11">
1116 <title>HOW TO USE THIS LICENSE FOR YOUR DOCUMENTS</title>
1117 <para>To use this License in a document you have written, include
1118 a copy of the License in the document and put the following
1119 copyright and license notices just after the title page:</para>
1120 <blockquote>
1121 <para>
1122 Copyright (c) YEAR YOUR NAME.
1123 Permission is granted to copy, distribute and/or modify this document
1124 under the terms of the GNU Free Documentation License, Version 1.1
1125 or any later version published by the Free Software Foundation;
1126 with the Invariant Sections being LIST THEIR TITLES, with the
1127 Front-Cover Texts being LIST, and with the Back-Cover Texts being LIST.
1128 A copy of the license is included in the section entitled "GNU
1129 Free Documentation License".
1130 </para>
1131 </blockquote>
1132 <para>If you have no Invariant Sections, write "with no Invariant
1133 Sections" instead of saying which ones are invariant. If you have
1134 no Front-Cover Texts, write "no Front-Cover Texts" instead of
1135 "Front-Cover Texts being LIST"; likewise for Back-Cover
1136 Texts.</para>
1137 <para>If your document contains nontrivial examples of program
1138 code, we recommend releasing these examples in parallel under your
1139 choice of free software license, such as the GNU General Public
1140 License, to permit their use in free software.</para>
1141 </sect1>
1142 </appendix>
1143 <!-- Uncomment the following line if you are using an external file for
1144 your glossary. You may also paste the contents of that file into the
1145 template at this point if you prefer having a single, longer file. --><!-- &glossary; --><!-- Uncomment the following line if you are using an external file for
1146 your bibliography. You may also paste the contents of that file into the
1147 template at this point if you prefer having a single, longer file. --><!-- &bibliography; --></article>
Attached Files
To refer to attachments on a page, use attachment:filename, as shown below in the list of files. Do NOT use the URL of the [get] link, since this is subject to change and can break easily.- [get | view] (2012-07-13 13:13:07, 2598.0 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.eps.ps]]
- [get | view] (2012-07-13 13:11:36, 964.1 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.pdf]]
- [get | view] (2012-07-13 13:09:29, 3886.2 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.tar.bz2]]
- [get | view] (2012-07-13 13:18:57, 3855.4 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.tar.gz]]
- [get | view] (2012-07-13 13:20:00, 71.0 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.txt]]
- [get | view] (2012-07-13 15:13:58, 86.1 KB) [[attachment:Wireless-AP-from-laptop-HOWTO.xml]]
You are not allowed to attach a file to this page.
