Table of Contents
We assume here that you want to create a wireless access point secured by WPA/WPA2. Instructions for using WEP will not be given (and please don't ask for them to be provided).
For now, this only includes instructions for pci-cards supported by the hostap and madwifi drivers. Feedback is welcome about what it takes to make other cards (other chipsets as well as PC-Card and USB models) to work.
Due to the size of the packages and modules required for this to work, it is unlikely you will get it to work on a single disk setup. You will either need a two disk setup, or an alternative storage media (like CD, HD, USB or Compact Flash).
Those two packages (wireless.lrp and hostapd.lrp and their dependencies libssl.lrp, libcrpto.lrp and libm.lrp) are available from the bering-uclibc packages page.
Add the two packages to your storage media and add them to leaf.cfg. Check the Bering-uClibc Installation Guide to learn how to do that.
In order to build a wireless access point, you will first have to get the hardware to work, which means adding the proper modules and loading them in the right order, and then adding the configuration for hostapd.
For setting up an AP with a pci card supported by the madwifi driver, you will need the following modules from the modules tarball available from the bering-uclibc download area:
2.4.33/net/ath_hal.o 2.4.33/net/ath_rate_sample.o 2.4.33/net/ath_pci.o 2.4.33/net/wlan.o 2.4.33/net/wlan_scan_ap.o 2.4.33/net/wlan_acl.o 2.4.33/net/wlan_ccmp.o 2.4.33/net/wlan_tkip.o 2.4.33/net/wlan_xauth.o
Copy those files to /lib/modules/ on your
Bering-uClibc installation and add the following to your
/etc/modules file:
ath_hal wlan wlan_scan_ap ath_rate_sample ath_pci autocreate=ap wlan_acl wlan_ccmp wlan_tkip wlan_xauth
At this point, it's probably a good idea to save both the configuration and the modules (from the lrcfg menu). And reboot your router. During the reboot (or afterwards, looking at the output of dmesg) you should see something like:
ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) wlan: 0.8.4.2 (0.9.2.1) ath_rate_sample: 1.2 (0.9.2.1) ath_pci: 0.9.4.5 (0.9.2.1) wifi0: 11a rates: 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps wifi0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps wifi0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps wifi0: turboG rates: 6Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps wifi0: H/W encryption support: WEP AES AES_CCM TKIP wifi0: mac 5.9 phy 4.3 radio 3.6 wifi0: Use hw queue 1 for WME_AC_BE traffic wifi0: Use hw queue 0 for WME_AC_BK traffic wifi0: Use hw queue 2 for WME_AC_VI traffic wifi0: Use hw queue 3 for WME_AC_VO traffic wifi0: Use hw queue 8 for CAB traffic wifi0: Use hw queue 9 for beacons wifi0: Atheros 5212: mem=0xa0010000, irq=11 wlan: mac acl policy registered
Some cards let you set the regulatory domain, that the card is used in. The regulatory domain specifies which channels and transmit power settings are allowed. For cards that support setting the regulatory domain, you can specify
ath_pci autocreate=ap countrycode=XXX
In
/etc/modules, where XXX is the country code for the
country that you are going to use the router in. See here for a
list of country codes - the values from the "UN Numeric-3" column are
what you need.
Not all cards allow the driver to set the country code. On such
cards, you will see something like this during bootup (if you have the
countrycode setting in your /etc/modules file:
wifi%d: unable to collect channel list from hal; regdomain likely 48 country code 276
If you see this, remove the countrycode setting from
/etc/modules, save the configuration and
reboot.
Setup in /etc/network/interfaces is
minimal, since all of the wlan specific settings will be done in the
hostapd configuration. You will only need to declare the proper
interface and IP address (since these instructions are for creating an
access point, a static IP is assumed).
Add the following to
/etc/network/interfaces
auto ath0
iface ath0 inet static
address 192.168.253.254
netmask 255.255.255.0
broadcast 192.168.253.255
wireless-channel 1Replace the IP address and netmask with whatever you prefer, if you want to use a different net.
Setting the channel is optional. It is usually best to let the driver decide which channel to use (you never know if your neighbours are going to turn on an AP on a channel that used to work fine yesterday). But if you want to force the driver to use a specific channel, this is the place to do it
First of all, open /etc/default/hostapd and
uncomment the line
# RUN_DAEMON='yes'
If you forget to do that, hostapd will not start.
Next, open /etc/hostapd/hostapd.conf and
enter the following information:
interface=ath0 driver=madwifi logger_syslog=-1 logger_syslog_level=1 logger_stdout=-1 logger_stdout_level=2 debug=0 ctrl_interface=/var/run/hostapd hw_mode=g macaddr_acl=0 auth_algs=3 ignore_broadcast_ssid=0 wpa=3 wpa_psk=your_strong_preshared_key wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP eap_server=0 eapol_key_index_workaround=0
The comments in that config file are actually very helpful, so you'll want to change the individual settings, rather than replacing the file with the content above.
See this site for a nice tool to generate strong preshared keys. Use the string from the first box labeled "64 random hexadecimal characters (0-9 and A-F):" for wpa_psk
Add
wlan ath0 detect dhcp
to
/etc/shorewall/interfaces
add
wlan ipv4
to
/etc/shorewall/zones
update /etc/shorewall/policy and/or
/etc/shorewall/rules and/or
/etc/shorewall/masq to allow traffic to/from
wireless network
Add
interface=ath0
to
/etc/dnsmasq.conf (unless you have dnsmasq
listening on all devices anyway)
Add an address range to serve by DHCP to
/etc/dnsmasq.conf, something like
dhcp-range=192.168.253.2,192.168.253.19,12h
For setting up an AP with a pci card supported by the hostap driver, you will need the following modules from the modules tarball available from the bering-uclibc download area:
2.4.33/net/hostap 2.4.33/net/hostap_pci 2.4.33/net/hostap_crypt_ccmp 2.4.33/net/hostap_crypt_tkip
Copy those files to /lib/modules/ on your Bering-uClibc
installation and add the following to your
/etc/modules file:
hostap hostap_pci hostap_crypt_ccmp hostap_crypt_tkip
Unfortunately, unlike madwifi, hostap doesn't seem to be able to change the regulatory domain setting based on a country code. It seems to always use what is programmed into the card. If somebody has information on how to change the regulatory domain with the madwifi driver, please let the author know.
At this point, it's probably a good idea to save both the configuration and the modules (from the lrcfg menu). And reboot your router. During the reboot (or afterwards, looking at the output of dmesg) you should see something like:
hostap_pci: 0.4.9 - 2006-05-06 (Jouni Malinen <[email protected]> hostap_pci: Registered netdevice wifi0 wifi0: NIC: id=0x8013 v1.0.0 wifi0: PRI: id=0x15 v1.1.1 wifi0: STA: id=0x1f v1.7.4 wifi0: Intersil Prism2.5 PCI: mem=0xa0003000, irq=11
Setup in /etc/network/interfaces is
minimal, since all of the wlan specific settings will be done in the
hostapd configuration. You will only need to declare the proper
interface and IP address (since these instructions are for creating an
access point, a static IP is assumed).
Add the following to
/etc/network/interfaces
auto wlan0
iface wlan0 inet static
address 192.168.253.254
netmask 255.255.255.0
broadcast 192.168.253.255
wireless-channel 1Replace the IP address and netmask with whatever you prefer, if you want to use a different net.
Setting the channel is optional. It is usually best to let the driver decide which channel to use (you never know if your neighbours are going to turn on an AP on a channel that used to work fine yesterday). But if you want to force the driver to use a specific channel, this is the place to do it
First of all, open /etc/default/hostapd and
uncomment the line
# RUN_DAEMON='yes'
If you forget to do that, hostapd will not start.
Next, open /etc/hostapd/hostapd.conf and
enter the following information:
interface=wlan0 driver=hostap logger_syslog=-1 logger_syslog_level=1 logger_stdout=-1 logger_stdout_level=2 debug=0 ctrl_interface=/var/run/hostapd hw_mode=b macaddr_acl=0 auth_algs=3 ignore_broadcast_ssid=0 wpa=3 wpa_psk=your_strong_preshared_key wpa_key_mgmt=WPA-PSK wpa_pairwise=TKIP CCMP eap_server=0 eapol_key_index_workaround=0
The comments in that config file are actually very helpful, so you'll want to change the individual settings, rather than replacing the file with the content above.
See this site for a nice tool to generate strong preshared keys. Use the string from the first box labeled "64 random hexadecimal characters (0-9 and A-F):" for wpa_psk
add
wlan wlan0 detect dhcp
to
/etc/shorewall/interfaces
add
wlan ipv4
to
/etc/shorewall/zones
Update /etc/shorewall/policy and/or
/etc/shorewall/rules and/or
/etc/shorewall/masq to allow traffic to/from
wireless network.
The WPA key you generated above and put into
/etc/hostapd/hostapd.conf needs to be entered on each
client that connects to the AP - so you might want to put it onto a USB
stick or something like that.
But since that key is the only thing that is keeping others from logging onto your net, you should still keep it in a safe place
We've only touched the mere basics of setting up an AP with this section. Especially the madwifi driver has many extremely useful features, but discussing those would be beyond the scope of this chapter. Please see the madwifi wiki for more in-depth information.