Difference between revisions of "Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Wireless Access Point"

From bering-uClibc
Jump to: navigation, search
(Setting up a wireless access point with WPA)
(Considerations if using hostapd with IPv6 on managed interfaces)
 
(13 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{| summary="Navigation header" width="100%"
 +
! colspan="3" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Wireless Access Point|Advanced Topics - Setting Up a Wireless Access Point]]
 +
|-
 +
| width="20%" align="left"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Dynamic DNS Client|Prev]]
 +
! width="60%" align="center" | [[Bering-uClibc 4.x - User Guide]]
 +
| width="20%" align="right"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Virtual Private Network|Next]]
 +
|}
 +
----
 +
 +
 
==Setting up a wireless access point with WPA/WPA2==
 
==Setting up a wireless access point with WPA/WPA2==
  
 
===Objectives===
 
===Objectives===
We assume here that you want to create a wireless access point secured by
+
We assume here that you want to create a wireless access point secured by WPA/WPA2. Instructions for using WEP will not be given.
WPA/WPA2. Instructions for using WEP will not be given.
+
  
For now, this only includes instructions for pci-cards supported by the
+
For now, this only includes instructions for pci-cards supported by the hostap and kernel drivers (I use an Atheros WLAN NIC, supported by the ath5k driver).
hostap and kernel drivers (I use an Atheros WLAN NIC, supported by
+
Feedback is welcome about what it takes to make other cards (other chipsets as well as PC-Card and USB models) to work.
the ath5k driver). Feedback is welcome about what it takes to make other
+
cards (other chipsets as well as PC-Card and USB models) to work.
+
  
 
===Declare the packages===
 
===Declare the packages===
To build a wireless access point one needs the hostapd package hostapd.lrp
+
To build a wireless access point one needs the hostapd package ''hostapd.lrp''
and its dependencies libssl.lrp, libcrpto.lrp, libnl and libm.lrp.
+
and its dependencies ''libssl.lrp'', ''libcrpto.lrp'', ''libnl.lrp'' and ''libm.lrp''.
  
The packages have to reside on your storage media and added to
+
The packages have to reside on your storage media and added to <code class="filename">leaf.cfg</code>.  
leaf.cfg.  
+
  
FIX THIS# Check the Bering-uClibc Installation Guide to learn how to do
+
Check [[Bering-uClibc 4.x - User Guide - Basic Configuration - LEAF Packages|Basic Configuration - LEAF Packages]] to learn how to do
 
that.
 
that.
  
 
===Declare the required modules===
 
===Declare the required modules===
In order to build a wireless access point, you will first have to get the
+
In order to build a wireless access point, you will first have to get the hardware to work, which means adding the proper modules and loading them in the right order, and then adding the configuration for hostapd.
hardware to work, which means adding the proper modules and loading them in
+
the right order, and then adding the configuration for hostapd.
+
  
 
===Setup for cards supported by the ath5k driver===
 
===Setup for cards supported by the ath5k driver===
  
 
====Adding the required modules====
 
====Adding the required modules====
For setting up an AP with a pci card supported by the ath5k driver, you
+
For setting up an AP with a pci card supported by the ath5k driver, you will need the following modules from the modules tarball available from the Bering-uClibc download area or:
will need the following modules from the modules tarball available from the
+
2.x.y.x/kernel/crypto/arc4.ko
the bering-uclibc download area or:<br>
+
2.x.y.x/kernel/crypto/ecb.ko
2.6.35.7/kernel/crypto/arc4.ko<br>
+
2.x.y.x/kernel/net/mac80211/mac80211.ko
2.6.35.7/kernel/crypto/ecb.ko<br>
+
2.x.y.x/kernel/net/wireless/cfg80211.ko
2.6.35.7/kernel/net/mac80211/mac80211.ko<br>
+
2.x.y.x/kernel/net/rfkill/rfkill.ko
2.6.35.7/kernel/net/wireless/cfg80211.ko<br>
+
2.x.y.x/kernel/drivers/leds/led-class.ko
2.6.35.7/kernel/net/rfkill/rfkill.ko<br>
+
2.x.y.x/kernel/drivers/net/wireless/ath/ath.ko
2.6.35.7/kernel/drivers/leds/led-class.ko<br>
+
2.x.y.x/kernel/drivers/net/wireless/ath/ath5k/ath5k.ko
2.6.35.7/kernel/drivers/net/wireless/ath/ath.ko<br>
+
2.6.35.7/kernel/drivers/net/wireless/ath/ath5k/ath5k.ko<br>
+
  
Copy those files to /lib/modules/ on your Bering-uClibc installation and
+
Copy those files to <tt>/lib/modules/</tt> on your Bering-uClibc installation and add the following to your <tt>/etc/modules</tt> file:
add the following to your ''/etc/modules'' file:<br>
+
# wlan modules (example for ath5k)
arc4<br>
+
arc4
ecb<br>
+
ecb
mac80211<br>
+
mac80211  
cfg80211<br>
+
cfg80211
rfkill<br>
+
rfkill
led-class<br>
+
led-class
ath<br>
+
ath
ath5k<br>
+
ath5k
 
+
At this point, it's probably a good idea to save both the configuration and
+
the modules (from the ''lrcfg'' menu). And reboot your router. During the
+
reboot (or afterwards, looking at the output of dmesg) you should see
+
something like:<br>
+
<tt>cfg80211: Calling CRDA to update world regulatory domain<br>
+
ath5k 0000:00:0c.0: registered as 'phy0'<br>
+
ath: EEPROM regdomain: 0x0<br>
+
ath: EEPROM indicates default country code should be used<br>
+
ath: doing EEPROM country->regdmn map search<br>
+
ath: country maps to regdmn code: 0x3a<br>
+
ath: Country alpha2 being used: US<br>
+
ath: Regpair used: 0x3a<br>
+
phy0: Selected rate control algorithm 'minstrel'<br>
+
ath5k phy0: Atheros AR2413 chip found (MAC: 0x78, PHY: 0x45)<br>
+
cfg80211: Calling CRDA for country: US<br></tt>
+
  
 +
At this point, it's probably a good idea to save both the configuration and the modules (from the ''lrcfg'' menu). And reboot your router. During the
 +
reboot (or afterwards, looking at the output of <tt>dmesg</tt>) you should see something like:<br>
 +
cfg80211: Calling CRDA to update world regulatory domain
 +
ath5k 0000:00:0c.0: registered as 'phy0'
 +
ath: EEPROM regdomain: 0x0
 +
ath: EEPROM indicates default country code should be used
 +
ath: doing EEPROM country->regdmn map search
 +
ath: country maps to regdmn code: 0x3a
 +
ath: Country alpha2 being used: US
 +
ath: Regpair used: 0x3a
 +
phy0: Selected rate control algorithm 'minstrel'
 +
ath5k phy0: Atheros AR2413 chip found (MAC: 0x78, PHY: 0x45)
 +
cfg80211: Calling CRDA for country: US
  
 
===Configuration===
 
===Configuration===
====Declaring the interface in ''/etc/network/interfaces''====
+
 
Setup in ''/etc/network/interfaces'' is minimal, since all of the wlan specific
+
====Declaring the interface in <tt>/etc/network/interfaces</tt>====
settings will be done in the hostapd configuration. You will only need to
+
Setup in <tt>/etc/network/interfaces</tt> is minimal, since all of the wlan specific settings will be done in the hostapd configuration. You will only need to
declare the proper interface and IP address (since these instructions are
+
declare the proper interface and IP address (since these instructions are for creating an access point, a static IP is assumed).
for creating an access point, a static IP is assumed).
+
Add the following to <tt>/etc/network/interfaces</tt>
Add the following to ''/etc/network/interfaces''
+
  
 
     auto wlan0
 
     auto wlan0
Line 83: Line 81:
 
     wireless-channel 6
 
     wireless-channel 6
  
Replace the IP address and netmask with whatever you prefer, if you want to
+
Replace the IP address and netmask with whatever you prefer, if you want to use a different net.
use a different net.
+
  
 
====Configuring hostapd====
 
====Configuring hostapd====
First of all, open ''/etc/default/hostapd'' and uncomment the line<br>
+
First of all, open <tt>/etc/default/hostapd</tt> and uncomment the line
<nowiki>#</nowiki> RUN_DAEMON='yes'<br>
+
 
 +
#RUN_DAEMON='yes'
 +
 
 
If you forget to do that, hostapd will not start.
 
If you forget to do that, hostapd will not start.
Next, open /etc/hostapd/hostapd.conf and enter the following information:<br>
+
Next, open <tt>/etc/hostapd/hostapd.conf</tt> and enter the following information:
interface=wlan0<br>
+
driver=nl80211<br>
+
logger_syslog=-1<br>
+
logger_syslog_level=1<br>
+
logger_stdout=-1<br>
+
logger_stdout_level=2<br>
+
debug=0<br>
+
ctrl_interface=/var/run/hostapd<br>
+
hw_mode=g<br>
+
channel 6 #(should be the same as in /etc/network/interfaces)<br>
+
macaddr_acl=0<br>
+
auth_algs=3<br>
+
ignore_broadcast_ssid=0<br>
+
wme_enabled=0<br>
+
wpa=3<br>
+
wpa_psk=your_strong_preshared_key<br>
+
wpa_key_mgmt=WPA-PSK<br>
+
wpa_pairwise=TKIP CCMP<br>
+
eap_server=0<br>
+
eapol_key_index_workaround=0<br>
+
  
The comments in that config file are actually very helpful, so you'll want
+
interface=wlan0
to change the individual settings, rather than replacing the file with the
+
driver=nl80211
content above.
+
logger_syslog=-1
See this site for a nice tool to generate strong preshared keys. Use the
+
logger_syslog_level=1
string from the first box labeled "64 random hexadecimal characters (0-9
+
logger_stdout=-1
and A-F):" for wpa_psk
+
logger_stdout_level=2
 +
debug=0
 +
ctrl_interface=/var/run/hostapd
 +
hw_mode=g
 +
channel 6 #(should be the same as in /etc/network/interfaces)
 +
macaddr_acl=0
 +
auth_algs=3
 +
ignore_broadcast_ssid=0
 +
wme_enabled=0
 +
wpa=3
 +
wpa_psk=your_strong_preshared_key
 +
wpa_key_mgmt=WPA-PSK
 +
wpa_pairwise=TKIP CCMP
 +
eap_server=0
 +
eapol_key_index_workaround=0
 +
 
 +
The comments in that config file are actually very helpful, so you'll want to change the individual settings, rather than replacing the file with the content above.
 +
See [https://www.grc.com/passwords.htm this site] for a nice tool to generate strong preshared keys. Use the string from the first box labeled "64 random hexadecimal characters (0-9 and A-F):" for wpa_psk.
  
 
====Configuring shorewall====
 
====Configuring shorewall====
Add<br>
+
Add
wlan  wlan0          detect          dhcp<br>
+
wlan  wlan0          detect          dhcp
to ''/etc/shorewall/interfaces''<br>
+
to <tt>/etc/shorewall/interfaces</tt>.
add <br>
+
 
wlan  ipv4<br>
+
Add
to ''/etc/shorewall/zones''<br>.
+
wlan  ipv4
Update ''/etc/shorewall/policy'' and/or ''/etc/shorewall/rules'' and/or
+
to <tt>/etc/shorewall/zones</tt>.
''/etc/shorewall/masq'' to allow traffic to/from wireless network
+
 
 +
Update <tt>/etc/shorewall/policy</tt> and/or <tt>/etc/shorewall/rules</tt> and/or <tt>/etc/shorewall/masq</tt> to allow traffic to/from wireless network
  
 
====Configuring dnsmasq====
 
====Configuring dnsmasq====
Add<br>
+
Add
interface=wlan0<br>
+
interface=wlan0
to ''/etc/dnsmasq.conf'' (unless you have dnsmasq listening on all devices
+
to <tt>/etc/dnsmasq.conf</tt> (unless you have dnsmasq listening on all devices anyway).
anyway).
+
Add an address range to serve by DHCP to <tt>/etc/dnsmasq.conf</tt>, something like:
Add an address range to serve by DHCP to ''/etc/dnsmasq.conf'', something like <br>
+
dhcp-range=192.168.253.2,192.168.253.19,12h
dhcp-range=192.168.253.2,192.168.253.19,12h<br>
+
  
 
===Finishing up===
 
===Finishing up===
Save the configuration and reboot - you should now have a working access
+
Save the configuration and reboot - you should now have a working access point.
point
+
 
+
  
 
===Handling of preshared keys===
 
===Handling of preshared keys===
The WPA key you generated above and put into ''/etc/hostapd/hostapd.conf''
+
The WPA key you generated above and put into <code class="filename">/etc/hostapd/hostapd.conf</code> needs to be entered on each client that connects to the AP - so you might want to put it onto a USB stick or something like that.
needs to be entered on each client that connects to the AP - so you might
+
But since that key is the only thing that is keeping others from logging onto your net, you should still keep it in a safe place.
want to put it onto a USB stick or something like that.
+
 
But since that key is the only thing that is keeping others from logging
+
=== Considerations if using hostapd with IPv6 on managed interfaces===
onto your net, you should still keep it in a safe place
+
If you want to use managed IPv6 interfaces on your WLAN (e.g. if the LEAF Bering-uClibc router is used for router advertisement for the IPv6 network) you'll see the known problem, that hostapd destroys the IPv6 configuration (see [http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=536630 hostapd destroys IPv6 configuration on managed interface]).
 +
 
 +
A workaround is to disable autostart of hostapd via init script and to start it from <code class="filename">/etc/network/interfaces</code> instead.
 +
 
 +
To disable autostart from init edit <code class="filename">/etc/init.d/hostapd</code> and uncomment the lines 28 and 29:
 +
 
 +
#      start-stop-daemon --start --oknodo --quiet \                           
 +
#              --exec $DAEMON --pidfile $PIDFILE -- $DAEMON_OPTS > /dev/null
 +
 
 +
To start hostapd from <code class="filename">/etc/network/interfaces</code> add the following line to the wireless configuration:
 +
up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
 +
 
 +
So it may look like below:
 +
auto wlan0
 +
iface wlan0 inet static
 +
address 192.168.11.254
 +
netmask 255.255.255.0
 +
broadcast 192.168.11.255
 +
wireless-channel 8
 +
up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf
 +
 
 +
----
 +
{| summary="Navigation footer" width="100%"
 +
| width="40%" align="left"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Dynamic DNS Client|Prev]]
 +
| width="20%" align="center" | [[Bering-uClibc 4.x - User Guide - Advanced Topics|Up]]
 +
| width="40%" align="right"  | [[Bering-uClibc 4.x - User Guide - Advanced Topics - Setting Up a Virtual Private Network|Next]]
 +
|}
 +
 
 +
[[Category:Bering-uClibc 4.x]]
 +
[[Category:User Guide]]

Latest revision as of 18:41, 11 August 2012

Advanced Topics - Setting Up a Wireless Access Point
Prev Bering-uClibc 4.x - User Guide Next


Setting up a wireless access point with WPA/WPA2

Objectives

We assume here that you want to create a wireless access point secured by WPA/WPA2. Instructions for using WEP will not be given.

For now, this only includes instructions for pci-cards supported by the hostap and kernel drivers (I use an Atheros WLAN NIC, supported by the ath5k driver). Feedback is welcome about what it takes to make other cards (other chipsets as well as PC-Card and USB models) to work.

Declare the packages

To build a wireless access point one needs the hostapd package hostapd.lrp and its dependencies libssl.lrp, libcrpto.lrp, libnl.lrp and libm.lrp.

The packages have to reside on your storage media and added to leaf.cfg.

Check Basic Configuration - LEAF Packages to learn how to do that.

Declare the required modules

In order to build a wireless access point, you will first have to get the hardware to work, which means adding the proper modules and loading them in the right order, and then adding the configuration for hostapd.

Setup for cards supported by the ath5k driver

Adding the required modules

For setting up an AP with a pci card supported by the ath5k driver, you will need the following modules from the modules tarball available from the Bering-uClibc download area or:

2.x.y.x/kernel/crypto/arc4.ko
2.x.y.x/kernel/crypto/ecb.ko
2.x.y.x/kernel/net/mac80211/mac80211.ko
2.x.y.x/kernel/net/wireless/cfg80211.ko
2.x.y.x/kernel/net/rfkill/rfkill.ko
2.x.y.x/kernel/drivers/leds/led-class.ko
2.x.y.x/kernel/drivers/net/wireless/ath/ath.ko
2.x.y.x/kernel/drivers/net/wireless/ath/ath5k/ath5k.ko

Copy those files to /lib/modules/ on your Bering-uClibc installation and add the following to your /etc/modules file:

# wlan modules (example for ath5k)
arc4
ecb
mac80211 
cfg80211
rfkill
led-class
ath
ath5k

At this point, it's probably a good idea to save both the configuration and the modules (from the lrcfg menu). And reboot your router. During the reboot (or afterwards, looking at the output of dmesg) you should see something like:

cfg80211: Calling CRDA to update world regulatory domain
ath5k 0000:00:0c.0: registered as 'phy0'
ath: EEPROM regdomain: 0x0
ath: EEPROM indicates default country code should be used
ath: doing EEPROM country->regdmn map search
ath: country maps to regdmn code: 0x3a
ath: Country alpha2 being used: US
ath: Regpair used: 0x3a
phy0: Selected rate control algorithm 'minstrel'
ath5k phy0: Atheros AR2413 chip found (MAC: 0x78, PHY: 0x45)
cfg80211: Calling CRDA for country: US

Configuration

Declaring the interface in /etc/network/interfaces

Setup in /etc/network/interfaces is minimal, since all of the wlan specific settings will be done in the hostapd configuration. You will only need to declare the proper interface and IP address (since these instructions are for creating an access point, a static IP is assumed). Add the following to /etc/network/interfaces

   auto wlan0
    iface wlan0 inet static 
    address 192.168.11.254
    netmask 255.255.255.0
    broadcast 192.168.11.255
    wireless-channel 6

Replace the IP address and netmask with whatever you prefer, if you want to use a different net.

Configuring hostapd

First of all, open /etc/default/hostapd and uncomment the line

#RUN_DAEMON='yes'

If you forget to do that, hostapd will not start. Next, open /etc/hostapd/hostapd.conf and enter the following information:

interface=wlan0
driver=nl80211
logger_syslog=-1
logger_syslog_level=1
logger_stdout=-1
logger_stdout_level=2
debug=0
ctrl_interface=/var/run/hostapd
hw_mode=g
channel 6 #(should be the same as in /etc/network/interfaces)
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wme_enabled=0
wpa=3
wpa_psk=your_strong_preshared_key
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP CCMP
eap_server=0
eapol_key_index_workaround=0

The comments in that config file are actually very helpful, so you'll want to change the individual settings, rather than replacing the file with the content above. See this site for a nice tool to generate strong preshared keys. Use the string from the first box labeled "64 random hexadecimal characters (0-9 and A-F):" for wpa_psk.

Configuring shorewall

Add

wlan   wlan0           detect          dhcp

to /etc/shorewall/interfaces.

Add

wlan   ipv4

to /etc/shorewall/zones.

Update /etc/shorewall/policy and/or /etc/shorewall/rules and/or /etc/shorewall/masq to allow traffic to/from wireless network

Configuring dnsmasq

Add

interface=wlan0

to /etc/dnsmasq.conf (unless you have dnsmasq listening on all devices anyway). Add an address range to serve by DHCP to /etc/dnsmasq.conf, something like:

dhcp-range=192.168.253.2,192.168.253.19,12h

Finishing up

Save the configuration and reboot - you should now have a working access point.

Handling of preshared keys

The WPA key you generated above and put into /etc/hostapd/hostapd.conf needs to be entered on each client that connects to the AP - so you might want to put it onto a USB stick or something like that. But since that key is the only thing that is keeping others from logging onto your net, you should still keep it in a safe place.

Considerations if using hostapd with IPv6 on managed interfaces

If you want to use managed IPv6 interfaces on your WLAN (e.g. if the LEAF Bering-uClibc router is used for router advertisement for the IPv6 network) you'll see the known problem, that hostapd destroys the IPv6 configuration (see hostapd destroys IPv6 configuration on managed interface).

A workaround is to disable autostart of hostapd via init script and to start it from /etc/network/interfaces instead.

To disable autostart from init edit /etc/init.d/hostapd and uncomment the lines 28 and 29:

#       start-stop-daemon --start --oknodo --quiet \                            
#               --exec $DAEMON --pidfile $PIDFILE -- $DAEMON_OPTS > /dev/null

To start hostapd from /etc/network/interfaces add the following line to the wireless configuration:

up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf

So it may look like below:

auto wlan0
iface wlan0 inet static
address 192.168.11.254
netmask 255.255.255.0
broadcast 192.168.11.255
wireless-channel 8
up /usr/sbin/hostapd -B /etc/hostapd/hostapd.conf

Prev Up Next