To a Linux machine, the wireless card appears to be just another Ethernet device. The wireless driver in the kernel provides a network device (e.g., eth0) that can do all of the things any other network device can do. The rest of the system is completely unaware that communications are happening over radio. If you have ever built a firewall with Linux, much of this section should seem familiar to you.
If you haven't built a firewall with Linux, I highly recommend building one with old fashioned Ethernet to get familiar with the process. O'Reilly's Building Internet Firewalls covers the specific networking issues involved in much greater detail than I have space for here. Another excellent document to work through is the Firewall and Proxy Server HOWTO at http://www.linuxdoc.org/HOWTO/Firewall-HOWTO.html.
5.1.1 HardwareMost 802.11b cards on the market today are PCMCIA devices. From a design and manufacturing standpoint, this is an excellent idea, because it simplifies the production line and helps keep costs down. At the time of this writing, wireless cards cost anywhere from $75-$200, with the average hovering around $120. Don't be fooled by their small size; these tiny cards are capable of sending a signal several miles with the proper antennas.
Obviously, to set up a machine as a wireless gateway, you need a computer with at least one PCMCIA slot. Although the most common computers that support PCMCIA are laptops, a desktop or rack mount box with a PCMCIA converter card works just fine. Many vendors (Cisco and Agere, for example) are selling PCMCIA to PCI or ISA converters specifically to fit wireless cards into desktop machines.
As long as the chipset on the PCMCIA converter is supported under Linux, and the wireless card itself has Linux drivers, your wireless card should work fine. It isn't absolutely necessary to use an Orinoco wireless card with an Agere converter, for example.
If you have any doubts about whether your hardware is supported under Linux, be sure to consult the current Hardware HOWTO at http://www.linuxdoc.org/HOWTO/HardwareHOWTO/.
It's also worth noting here that there are a bunch of older 802.11 frequency hopping cards floating around. They come in both PCMCIA and ISA/PCI packages and, unfortunately, are not 802.11b-compliant. If you want to be able to support 802.11b clients and data rates greater than 2Mbps, these cards will not help you. Always look for the "b" before you buy (there's a reason why the guy at the computer show is running a killer deal on $20 "wireless adapters").
In addition to a PCMCIA slot for the wireless adapter, you'll need an interface that connects to another network. In a laptop, this is usually provided by a network card in the second PCMCIA slot, or possibly a built-in modem for connecting to a dialup account. In a desktop or rack mount machine, any sort of network device can be used, although these days an Ethernet card is probably the most common (second only to dialup).
As far as actual computing hardware goes, you might consider using an older laptop as a gateway. It draws less power than a desktop, has built-in battery backup, and typically gives you two PCMCIA slots to work with. A 486 DX4/100 laptop can easily support several people as a masquerading gateway, as long as it has enough RAM (16 to 32MB should be plenty) and isn't doing anything other than routing packets and providing DHCP. We'll design our gateway to work "headless," so even a working LCD panel won't be a requirement (assuming your laptop has an external video connector to initially configure it). You can often pick up older used laptops at thrift stores or computer surplus stores for under $200 (just be sure to try before you buy; it does need to boot!).
The hard disk space required is a matter of personal preference and how much you want the gateway to do beyond providing access. While a more-than-complete Linux distribution can fill more than 2GB, you can easily squeeze a fully functional gateway into 20MB or less. In Section 5.1.10 at the end of this chapter, we'll see some examples of gateway distributions that fit entirely on a single floppy disk (no hard drive required!).
Of course, if you already have a machine on your network providing firewall services, it's a relatively simple matter to install a wireless adapter in it and have it serve as a gateway. If you already have a firewall running Linux, feel free to skip the Linux Distribution section.
For the purposes of example, I'll assume that we're installing an Orinoco Silver card into a laptop with a small hard drive and an Ethernet connection to the Internet.5.1.2 Linux Distribution
Choosing a distribution (much like choosing an operating system) should be a straightforward process: identify your project goals and requirements, assess what each of the competing choices provides, and make your choice. Unfortunately, the ultimate choice of "which one" seems to be increasingly driven by marketing machinery and passionate treatises on Usenet instead of simple design details.
Rather than settling on a particular Linux distribution (and accidentally revealing my tendency to Slack), here are some components that are absolutely vital to a wireless gateway, and should ideally be provided by your distribution.
These are the mandatory components:• Linux 2.2 or 2.4 kernel
• Firewall tools (ipchains or iptables)
• PCMCIA-CS
• Wireless Tools package
• a DHCP server
• Your favorite text editor
• GCC, for compiling drivers and tools
• PPP, for dialup ISP access
• SSH, for remote administration
• X Windows, including Gnome, KDE, or any other window manager
• Network services you don't intend to provide on the gateway itself (NFS, Samba, print services, etc.)
Installing Linux is very straightforward with most modern distributions. Typically, simply booting from the CD will get the process going. I'll assume that you have the system installed and running on your existing network for the rest of this section. If you need help getting to your first login: prompt, there are tons of great references on how to install Linux online. You might start with the wealth of information from the Linux Documentation Project at http://www.linuxdoc.org/.
5.1.3 Kernel ConfigurationOnce your system software is installed, you'll need to configure the kernel to provide wireless drivers and firewall services. The parameters that need to be set depend on which kernel you're running. The 2.2 kernel has been around for quite a while and has proven itself stable in countless production environments. The 2.4 kernel moved out of pre-release in January 2001 and is up to 2.4.5 as of this writing. While much more rich in features and functionality, it is also a much larger and more complex piece of software. For a new installation on a machine with adequate RAM (at least 16MB for a simple gateway), the 2.4 kernel is probably the best choice, as more and more developers are actively developing drivers for this platform. If space is tight, or you have an existing machine running 2.2 that you would like to turn into a gateway, 2.2 works fine in most cases.
Let's look at the specific kernel parameters that need to be set for each kernel. In either case, first cd to /usr/src/linux and run make menuconfig. For these examples, we'll assume you're using either 2.2.19 or 2.4.5. Feel free to compile in any or all of these options as loadable modules, where applicable.
5.1.3.1 Linux 2.2.19In addition to drivers specific to your hardware (SCSI or IDE drivers, standard filesystems, etc.), make sure the following parameters are compiled into the kernel:
Under Loadable module support:
• Enable loadable module support
Under Networking options:
• Packet socket
• Network firewalls
• Socket Filtering
• IP: firewalling
• IP: masquerading
• IP: ICMP masquerading (if you want to use tools like ping and traceroute)
• Wireless LAN (non-hamradio)
Note that you need to enable only the Wireless LAN category, not any of the specific drivers. This enables the kernel's wireless extensions and provides the /proc/net/wireless monitoring interface. Don't worry about PCMCIA network drivers; these will be provided by the PCMCIA-CS package. See the PCMCIA-CS section later in this chapter for details.
5.1.3.2 Linux 2.4.5Verify that the following are built into your kernel:
Under Loadable module support:
• Enable loadable module support
Under General setup:
• Support for hot-pluggable devices
This enables the PCMCIA/CardBus support category. Under that section, enable the following:
• PCMCIA/CardBus support.
• CardBus support (only if you have a CardBus network card, i.e., most 100baseT cards).
• Support for your PCMCIA bridge chipset. Most are i82365, although it generally doesn't hurt to compile in both.
• Packet socket
• Socket Filtering
• TCP/IP networking
• Network packet filtering
• Connection tracking
• FTP protocol support
• IP tables support
• Packet filtering
• Full NAT
• MASQUERADE target support
• Wireless LAN (non-hamradio)
• Hermes support (Orinoco/WavelanIEEE/PrismII/Symbol 802.11b card)
Support for Orinoco and other Prism II cards used to be provided by PCMCIA-CS (as wvlan_cs), but has now moved into the kernel itself (as orinoco_cs). Enable Hermes support if you intend to use one of these cards. Why this particular driver resides here and not under PCMCIA network device support is something of a mystery.
Speaking of PCMCIA network device support, be sure to enable the following:
• PCMCIA network device support
• PCMCIA Wireless LAN
• Any PCMCIA network drivers for your hardware
Beyond the above required components, also include the drivers you need for your specific hardware. If this is your first time building a new kernel, remember to keep things simple at first. The dazzling assortment of kernel options can be confusing, and trying to do too many things at once may lead to conflicts that are difficult to pin down. Just include the minimum functionality you need to get the machine booted and on the network, and worry about adding fancy functionality later. The Linux Documentation Project has some terrific reference and cookbook-style material in the Kernel HOWTO at http://www.linuxdoc.org/HOWTO/KernelHOWTO.html. RTFM[1] and encourage others to do the same!
Read The Fine Manual. Thanks to the efforts of volunteer groups like the LDP and thousands of contributors, Linux has become possibly the best-documented operating system on the planet. And where the Fine Manual isn't available, the source is. Read it.
5.1.4 PCMCIA-CSPCMCIA and Card Services provide operating system support for all kinds of credit cardsized devices, including Ethernet and wireless cards. The PCMCIA-CS package is actually made up of two parts, the drivers themselves and the utilities that manage loading and unloading the drivers. The utilities detect when cards are inserted and removed and can give you status information about what has been detected.
5.1.4.1 SoftwareIf your distribution includes a recent release of PCMCIA-CS, feel free to skip this section. You can tell what version you have installed by running /sbin/cardmgr -V. I've used 3.1.22 and 3.1.26 successfully. The latest (and recommended) release as of this writing is 3.1.26.
If you need to upgrade your PCMCIA-CS, follow the installation instructions in the package (it comes with a current version of the PCMCIA-HOWTO). When building from source, the package expects you to have your kernel source tree handy, so build your kernel first and then PCMCIA-CS. You can download the latest release at http://pcmcia-cs.sourceforge.net/.
5.1.4.2 ConfigurationSetting up radio parameters is very straightforward. All of the wireless parameters are set in /etc/pcmcia/wireless.opts.
Here's an example wireless.opts:
#
# wireless.opts #
*,*,*,*)
INFO="Default configuration" ESSID="NoCat"
MODE="Ad-Hoc"
RATE="auto"
You may be thinking, "My God, it's full of stars..." But if you have ever worked with network.opts, the syntax is exactly the same. If you haven't, those asterisks allow for tremendous flexibility.
The script is passed a string in $ADDRESS that gives details about the card that was inserted, so you can have different entries for different cards. The address-matching syntax is:scheme,
socket,
instance, MAC address)
The scheme allows for setting up as many arbitrary profiles as you like. The most common use for schemes is on a client laptop, where you may have different network settings for your office wireless network than for your home network. You can display the current scheme by issuing the cardctl scheme command as root, and you can change it by using a command like cardctl scheme home or cardctl scheme office. Both wireless.opts and network.opts are scheme-aware, allowing you to change your network and wireless settings quickly with a single command.
The second parameter, socket, is the socket number that the PCMCIA card was inserted into. Usually, they start with 0 and go up to the number of PCMCIA slots you have available. To find out which is which, insert a card in one slot and issue the cardctl status command.
The third parameter, instance, is used for exotic network cards that have more than one interface. I haven't come across one of these, but if you have a network card that has more than one network device in it, use this to set different parameters for each device, starting with 0.
I find the last parameter, MAC address, very useful because you can match the setting to a specific MAC address. You can even include wildcards to match a partial MAC address, like this:
*,*,*,00:02:2D:*)This would match any recent Lucent card inserted in any slot, in any scheme. Keep in mind that the wireless.opts is only called to set radio parameters. Network settings (such as IP address, default gateway, and whether or not to use DHCP) are set in network.opts.
For our wireless gateway example, we'll need to set up an Ethernet card and an Orinoco Silver card. Include the above code in your wireless.opts. Create entries in your network.opts like these:
*,0,*,*)
INFO="Wired network" DHCP="y"
;;
*,1,*,*)
INFO="Wireless"
IPADDR="10.0.0.1" NETMASK="255.255.255.0" NETWORK="10.0.0.0" BROADCAST="10.0.0.255" ;;
Be sure to put these above any section that starts with *,*,*,*) because it will preempt your specific settings. These settings assume that the wired network will get its IP address via DHCP. You can set DHCP="n" (or just remove the line) and include IP address information (as in the second example) if your ISP uses static IPs. The examples assume that the Ethernet card is in slot 0 and the radio is in slot 1. You could also match on the MAC address of your cards if you want the flexibility to plug either card in either slot, although generally, once your gateway is up and running. you'll want to forget it's even on. See the PCMCIA HOWTO for full details on all the tricky things you can do with $ADDRESS.
5.1.5 Wireless ToolsThe excellent Wireless Tools package is maintained by Jean Tourrilhes. You can get a copy of it online at http://www.hpl.hp.com/personal/Jean_Tourrilhes/Linux/Tools.html. He describes the package as follows:
The Wireless Extension is a generic API allowing a driver to expose to the user space configuration and statistics specific to common Wireless LANs.These tools provide a method of controlling the parameters of a wireless card, regardless of what kind of card is installed (assuming that the wireless card driver uses the kernel's wireless extensions). They allow you to set the ESSID, WEP keys, operating mode (BSS or IBSS), channel, power saving modes, and a slew of other options. Simply unpacking the archive and running make; make install should copy the binaries to /usr/local/sbin (see the installation notes in the package for more details). The tools currently bundled in Version 21 are iwconfig, iwspy, iwlist, and iwpriv. They are absolutely necessary for any Linux gateway or client.
Like its networking counterpart ifconfig, the iwconfig tool operates on a specific interface and lets you view or change its parameters. You can run it at any time from the command line as root to see what's going on. In addition, PCMCIA-CS calls iwconfig when a card is inserted in order to set the initial parameters.
Here's a typical iwconfig output:root@entropy:~# iwconfig eth0
eth0 IEEE 802.11-DS ESSID:"NoCat" Nickname:"Entropy" Mode:Ad-Hoc Frequency:2.412GHz Cell: 00:02:2D:FF:00:22 Bit Rate:11Mb/s Tx-Power=15 dBm Sensitivity:1/3 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality:56/92 Signal level:-40 dBm Noise level:-96 dBm Rx invalid nwid:0 invalid crypt:0 invalid misc:0
As you can see, eth0 is a wireless device. The ESSID is set to "NoCat" and WEP encryption is off. For security reasons, the encryption parameter is shown only if iwconfig is run by root. If there are any other wireless cards in range with the same parameters set, they can "see" this node and communications can commence exactly as if they were on the same physical piece of wire. Run man iwconfig for the full list of parameters. The iwconfig binary should be in a common binary path (like /usr/sbin or /usr/local/sbin) for PCMCIA-CS to be able to use it.
The other tools allow nifty features like monitoring the relative signal strength of other IBSS nodes, showing available frequencies and encoding bit rates, and even setting internal driver parameters, all from the command line. See the documentation for the full details, and there are more examples in Chapter 7.
For most operations involving a wireless gateway, the iwconfig tool provides all the functionality we need to program the wireless card. While you're at Jean Tourrilhes' site, also pick up a copy of hermes.conf and copy it to /etc/pcmcia. It will tell PCMCIA to use the new orinoco_cs driver (rather than the older wvlan_cs) for all compatible radios. See his site documentation for more details.
5.1.6 MasqueradingFrom the IP Masquerade HOWTO (available at http://www.linuxdoc.org/HOWTO/IPMasquerade-HOWTO.html):
IP Masq is a form of Network Address Translation or NAT that allows internally connected computers that do not have one or more registered Internet IP addresses to have the ability to communicate to the Internet via your Linux box's single Internet IP address.
IP masquerading makes it almost trivial to give an entire private network access to the Internet, while only using one official, registered IP address.By configuring the gateway's wired Ethernet to use your ISP-assigned address and enabling masquerading between the wireless and the wire, all of your wireless clients can share the Internet connection, as shown in Figure 5-1. The internal hosts think they're connected directly to the Internet, and there is no need to specially configure any applications (as you would with a traditional proxy server).
Figure 5-1. Using masquerading, an entire private network can "hide" behind a single real IP address
As with any form of NAT, masquerading isn't without its drawbacks. For example, the connectivity is one-way by default. Internal hosts can connect to Internet resources, but users from the Internet cannot connect to internal nodes directly.
To configure masquerading for the 2.2.19 kernel, save the following script to /etc/rc.d/rc.firewall, and add a call to it in your /etc/rc.d/rc.local startup script:#!/bin/sh
For Linux 2.4.5, install these commands in the same place, but use iptables to set up the masquerading rules:
#!/bin/sh
Be sure to substitute eth0 with the interface name of your wireless card. You can also get a copy of these sample scripts at: http://www.oreilly.com/catalog/wirelesscommnet/.
These rules will enable anyone within range of your radio to masquerade behind your live IP address and access the Internet as if they were directly connected.
5.1.7 DHCP Services
As seen in Chapter 3, DHCP lets network clients automatically discover the proper network parameters without human intervention. If we want our wireless clients to use DHCP, we need to provide it on the wireless interface.
You may be thinking, "Why not just bridge the two networks together and use my network's existing DHCP service?" Unfortunately, many 802.11b manufacturers (including Lucent) recognize that if Layer 2 bridging were possible in their client cards, then there would be very little need for their high-end (and expensive) access points. As a result, the ability to bridge has been specifically disabled in the client card's firmware. Some manufacturers (notably Cisco) still allow bridging at the link layer.
The standard DHCP server was written by the Internet Software Consortium. If it wasn't provided by your distribution, pick up a copy at http://www.isc.org/products/DHCP/. Configuration is very straightforward. Just create an /etc/dhcpd.conf with the following information:
subnet 10.0.0.0 netmask 255.255.255.0 { range 10.0.0.100 10.0.0.200; option routers 10.0.0.1;
option domain-name-servers 1.2.3.4;
Substitute 1.2.3.4 with your local DNS server.
Once that is in place, add an entry in your /etc/rc.d/rc.local script to call dhcpd on the wireless interface. Assuming your wireless card is at eth0, this should do it:
echo "Starting dh