AP FC8

From M1Research

(Difference between revisions)
Jump to: navigation, search
Line 1: Line 1:
-
==WiFi Hardware==
+
=WiFi Hardware=
As we are going build WPA protected Access Point it's required authorization daemon supports our hardware. Authorization software based on [http://hostap.epitest.fi/hostapd/ hostapd]. As seen from [http://hostap.epitest.fi/hostapd/ hostapd]'s home page it support chipsets/drivers:
As we are going build WPA protected Access Point it's required authorization daemon supports our hardware. Authorization software based on [http://hostap.epitest.fi/hostapd/ hostapd]. As seen from [http://hostap.epitest.fi/hostapd/ hostapd]'s home page it support chipsets/drivers:
Line 24: Line 24:
and supported by [http://madwifi.org/ madwifi] drivers.
and supported by [http://madwifi.org/ madwifi] drivers.
-
==Generic Installation==
+
=Generic Installation=
Generic installation steps:
Generic installation steps:
Line 42: Line 42:
** <code>hostapd-0.6.3.tar.gz</code>
** <code>hostapd-0.6.3.tar.gz</code>
-
==Building/configuring driver==
+
=Building/configuring driver=
Unpack <code>madwifi-0.9.4.tar.gz</code> to <code>/usr/local/src</code>:
Unpack <code>madwifi-0.9.4.tar.gz</code> to <code>/usr/local/src</code>:
Line 70: Line 70:
alias scsi_hostadapter1 ata_piix</pre>
alias scsi_hostadapter1 ata_piix</pre>
-
==Network configuration==
+
=Network configuration=
Setup ethernet adaptor <code>eth0</code> for WAN interface and bridge (eth1 + wlan0) for local network.
Setup ethernet adaptor <code>eth0</code> for WAN interface and bridge (eth1 + wlan0) for local network.
Line 103: Line 103:
Please note that our AP network <b>ESSID</b> we setted to <i>home-home</i>.
Please note that our AP network <b>ESSID</b> we setted to <i>home-home</i>.
 +
 +
=Network services configuration=
 +
==DHCP==
 +
<code>/etc/dhcpd.conf</code>:<pre>ddns-update-style interim;
 +
ignore client-updates;
 +
 +
subnet 192.168.1.0 netmask 255.255.255.0 {
 +
 +
# --- default gateway
 +
        option routers                  192.168.1.1;
 +
        option subnet-mask              255.255.255.0;
 +
 +
        option nis-domain              "domain.org";
 +
        option domain-name              "domain.org";
 +
        option domain-name-servers      192.168.1.1;
 +
 +
        option time-offset              -18000; # Eastern Standard Time
 +
#      option ntp-servers              192.168.1.1;
 +
#      option netbios-name-servers    192.168.1.1;
 +
# --- Selects point-to-point node (default is hybrid). Don't change this unless
 +
# -- you understand Netbios very well
 +
#      option netbios-node-type 2;
 +
 +
        range dynamic-bootp 192.168.1.128 192.168.1.254;
 +
        default-lease-time 21600;
 +
        max-lease-time 43200;
 +
 +
        # we want the nameserver to appear at a fixed address
 +
        host ns {
 +
                next-server marvin.redhat.com;
 +
                hardware ethernet 12:34:56:78:AB:CD;
 +
                fixed-address 207.175.42.254;
 +
        }
 +
}</pre>
 +
 +
==DNS==
 +
<code>/etc/named.conf</code>:<pre>options {
 +
//      listen-on port 53 { 127.0.0.1; };
 +
        listen-on-v6 port 53 { ::1; };
 +
        directory      "/var/named";
 +
        dump-file      "/var/named/data/cache_dump.db";
 +
        statistics-file "/var/named/data/named_stats.txt";
 +
        memstatistics-file "/var/named/data/named_mem_stats.txt";
 +
        allow-query    { any; };
 +
        recursion yes;
 +
};
 +
 +
logging {
 +
        channel default_debug {
 +
                file "data/named.run";
 +
                severity dynamic;
 +
        };
 +
};
 +
 +
zone "." IN {
 +
        type hint;
 +
        file "named.ca";
 +
};
 +
 +
include "/etc/named.rfc1912.zones";</pre>
 +
 +
==FireWall==
 +
<code>/etc/sysconfig/iptables</code>:<pre>*nat
 +
-A POSTROUTING -o eth0 -j MASQUERADE
 +
-A POSTROUTING -o ppp0 -j MASQUERADE
 +
COMMIT
 +
 +
*filter
 +
:INPUT ACCEPT [0:0]
 +
:FORWARD ACCEPT [0:0]
 +
:OUTPUT ACCEPT [0:0]
 +
:RH-Firewall-1-INPUT - [0:0]
 +
-A FORWARD -i br0 -j ACCEPT
 +
-A INPUT -i br0 -j ACCEPT
 +
-A INPUT -j RH-Firewall-1-INPUT
 +
-A FORWARD -j RH-Firewall-1-INPUT
 +
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
 +
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
 +
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
 +
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
 +
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
 +
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
 +
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
 +
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 +
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22  -j ACCEPT
 +
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
 +
COMMIT</pre>
 +
<code>/etc/sysctl.conf</code>:<pre>--skipped--
 +
# Controls IP packet forwarding
 +
net.ipv4.ip_forward = 1
 +
--skipped--</pre>

Revision as of 09:49, 12 July 2008

Contents

WiFi Hardware

As we are going build WPA protected Access Point it's required authorization daemon supports our hardware. Authorization software based on hostapd. As seen from hostapd's home page it support chipsets/drivers:

  • Host AP driver for Prism2/2.5/3
  • madwifi (Atheros ar521x)
  • Prism54.org (Prism GT/Duette/Indigo)

After some research on our local PC components market we choose D-link DWA-520 that is Atheros chipset based:

[root@dev-1 ~]# lspci -vvv
--skipped--
01:0b.0 Ethernet controller: Atheros Communications, Inc. AR5212/AR5213 Multiprotocol MAC/baseband processor (rev 01)
        Subsystem: D-Link System Inc Unknown device 3a73
        Control: I/O- Mem+ BusMaster+ SpecCycle- MemWINV+ VGASnoop- ParErr- Stepping- SERR+ FastB2B- DisINTx-
        Status: Cap+ 66MHz- UDF- FastB2B+ ParErr- DEVSEL=medium >TAbort- <TAbort- <MAbort- >SERR- <PERR- INTx-
        Latency: 168 (2500ns min, 7000ns max), Cache Line Size: 32 bytes
        Interrupt: pin A routed to IRQ 23
        Region 0: Memory at ff8f0000 (32-bit, non-prefetchable) [size=64K]
        Capabilities: [44] Power Management version 2
                Flags: PMEClk- DSI- D1- D2- AuxCurrent=375mA PME(D0-,D1-,D2-,D3hot-,D3cold-)
                Status: D0 PME-Enable- DSel=0 DScale=2 PME-
        Kernel driver in use: ath_pci
        Kernel modules: ath_pci
--skipped--

and supported by madwifi drivers.

Generic Installation

Generic installation steps:

  • install WiFi pci board
  • install additional ethernet adapter (we want 2 adapters: 1st WAN, 2nd LOCAL LAN)
  • install minimal Fedora Core 8 installation
  • update all installed Fedora packeges
  • install required packages for building madwifi drivers and hostapd:
    • gcc
    • openssl-devel
    • kernel package development (in my case kernel-devel-2.6.25.9-40.fc8)
    • dhcp
    • bind, bind-chroot
    • bridge-utils
  • download to /usr/local/src madwifi driver and hostapd source code:
    • madwifi-0.9.4.tar.gz
    • hostapd-0.6.3.tar.gz

Building/configuring driver

Unpack madwifi-0.9.4.tar.gz to /usr/local/src:

[root@dev-1 ~]# cd /usr/local/src
[root@dev-1 src]# gzip -cd madwifi-0.9.4.tar.gz | tar xf -
Goto source code directory, build and install:
[root@dev-1 src]# cd madwifi-0.9.4
[root@dev-1 madwifi-0.9.4]# make
Checking requirements... ok.
Checking kernel configuration... ok.
make -C /lib/modules/2.6.25.9-40.fc8/build SUBDIRS=/usr/local/src/madwifi-0.9.4 modules
make[1]: Entering directory `/usr/src/kernels/2.6.25.9-40.fc8-i686'
  CC [M]  /usr/local/src/madwifi-0.9.4/ath/if_ath.o
--skipped--
gcc -o ath_info -g -O2 -Wall ath_info.c
make[1]: Leaving directory `/usr/local/src/madwifi-0.9.4/tools'
[root@dev-1 madwifi-0.9.4]# make install
Remove old ath5k driver:
[root@dev-1 madwifi-0.9.4]# rm -f -r -d /lib/modules/2.6.25.9-40.fc8/kernel/drivers/net/wireless/ath5k
[root@dev-1 madwifi-0.9.4]# depmod -a
Check /etc/modprobe.conf contains correct options for new driver and wlan0 associated with ath_pci driver:
alias eth0 e100
alias eth0 eth1
#alias wlan0 ath5k
alias wlan0 ath_pci
options ath_pci autocreate=ap
alias scsi_hostadapter libata
alias scsi_hostadapter1 ata_piix

Network configuration

Setup ethernet adaptor eth0 for WAN interface and bridge (eth1 + wlan0) for local network.

/etc/sysconfig/network-scripts/ifcfg-br0
DEVICE=br0
TYPE=Bridge
BOOTPROTO=static
IPADDR=192.168.1.1
NETMASK=255.255.255.0
ONBOOT=yes
DELAY=0
STP=off
/etc/sysconfig/network-scripts/ifcfg-eth0
DEVICE=eth0
BOOTPROTO=static
BROADCAST=10.1.255.255
IPADDR=10.1.5.190
NETMASK=255.255.0.0
NETWORK=10.1.0.0
ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-eth1
DEVICE=eth1
TYPE=ETHER
BRIDGE=br0
ONBOOT=yes
/etc/sysconfig/network-scripts/ifcfg-wlan0
DEVICE=wlan0
BRIDGE=br0
ONBOOT=yes
MODE=master
ESSID="home-home"

Please note that our AP network ESSID we setted to home-home.

Network services configuration

DHCP

/etc/dhcpd.conf:
ddns-update-style interim;
ignore client-updates;

subnet 192.168.1.0 netmask 255.255.255.0 {

# --- default gateway
        option routers                  192.168.1.1;
        option subnet-mask              255.255.255.0;

        option nis-domain               "domain.org";
        option domain-name              "domain.org";
        option domain-name-servers      192.168.1.1;

        option time-offset              -18000; # Eastern Standard Time
#       option ntp-servers              192.168.1.1;
#       option netbios-name-servers     192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
#       option netbios-node-type 2;

        range dynamic-bootp 192.168.1.128 192.168.1.254;
        default-lease-time 21600;
        max-lease-time 43200;

        # we want the nameserver to appear at a fixed address
        host ns {
                next-server marvin.redhat.com;
                hardware ethernet 12:34:56:78:AB:CD;
                fixed-address 207.175.42.254;
        }
}

DNS

/etc/named.conf:
options {
//      listen-on port 53 { 127.0.0.1; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };
        recursion yes;
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";

FireWall

/etc/sysconfig/iptables:
*nat
-A POSTROUTING -o eth0 -j MASQUERADE
-A POSTROUTING -o ppp0 -j MASQUERADE
COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A FORWARD -i br0 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22  -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
/etc/sysctl.conf:
--skipped--
# Controls IP packet forwarding
net.ipv4.ip_forward = 1
--skipped--
Personal tools