If you are close to Acacia (in Melba, ACT - Australia), you will see a Wireless LAN called AcaciaLTPublicWWW that you can connect to by setting the following:
- SID = AcaciaLTPublicWWW
- WEP = disabled
- Network Authentication = none
- Access point = true
- Proxy Server = 192.168.2.254 port = 3128 (should be automatic for IE and Mozilla)
Note: this project has been upgraded to the new MegaRouter and this page is currently being updated. FC4 is used for routing between 5 subnets and works really well. Geoff. 4 Apr 06.
The aim of this project is to share spare Internet capacity with others in the local area without exposing the Acacia LAN to the world. This is a major problem with the simplistic approach taken by the WLAN equipment suppliers. It seems so simple to purchase a WLAN base station router, connect it to your ADSL modem and network, and provide roaming access all over your property! The catch is that everyone within radio range also has access to your PCs and data. The firewall in these devices is only designed to protect your network from the Internet, but leaves your LAN fully exposed to anyone within radio range. Don't forget that directional antennas such as used for satellite TV can be used to connect to your WLAN from up to 2 km away.
This project provides all of the details that you will need in order to set up a similar shared access facility.
Although this project looks very straight forward, it took a number of days to get it all functioning. The main difficulty is that all components link together like a chain, and any one setting (like your browser proxy setting) can make it appear that nothing is working. I trust that the steps set out in this project will let you avoid much of this pain.
The Acacia network started off with a single Windows 98 PC, configured with a network card connected to an ADSL modem. As soon as this was working, another NIC was added and connected to an 8 port network hub and from this to a number of other Windows and Linux PCs. Hardware problems with the ADSL modem meant resetting by switching power on and off was needed. Linux with 240V X10 control soon entered the equation, pinging Internet sites and doing an automatic power reset operation as required to retain Internet connectivity.
This configuration is probably typical of many small networks, but note the lack of firewall, proxying and dependence on unreliable Windows systems.
Acacia soon moved to a seperate Linux based firewall (ipchains), and using RP ADSL software. Separate web and mail servers were added.
The first attempt to hook up a WLAN access point quickly revealed the security vulnerabilities noted above and the device was removed. Later, an extra internal firewall was added to isolate the WLAN device into a subnetwork and force all traffic through the main gateway to the Internet. This had problems as many of the LAN facilities such as DHCP, DNS and Web Server had to be exposed from the protected LAN out to the WLAN.
The final iteration of WLAN facilities is described in this project. The installation is based on a "MegaRouter" with 6 network interfaces including:
- eth1 via ppp0 to the Internet
- eth0 to the Acacia LAN
- eth2 to the DMZ containing the Acacia Web Server
- wlan0 to an internal WLAN card for WLAN routing (future)
- ppp1 via USB to a BlueTooth access point
- eth3 to a WLAN access point
The "MegaRouter" makes it simple to implement a comprehensive firewall to handle all traffic between all subnets. It also allows any required services to be masqeraded directly at the network interface whilst allowing them to be hosted on any of the subnets.
As can be seen in the following diagram, the "MegaRouter" consists of a single Linux server with 6 network ports running iptables firewall. In order to support web access, DHCP, DNS and Squid proxy servers are also installed.
To emulate this public access WLAN configuration, you will need:
- An old 486 or better PC to act as the firewall.
- A configured ADSL connection. This project just plugs into your LAN.
- A Belkin 802.11g Router (54 Mbps 2.4GHz).
- A test PC or Laptop with a WLAN card.
- A bluetooth USB dongle.
- An old satellite antenna and internal WLAN card.
In order to implement this project in your own environment, you will need one or more PCs with the following software installed:
- Secure Shell Client (SSH) for the firewall test and configuration PC.
- iptables on the WLAN firewall.
- Domain Name Service.
- Dynamic Host Configuration Protocol.
- A web proxy server.
- Linux (Fedora 4 or newer)
Configuration and Testing
This is a fairly complex project, but the following steps should guide you through the process:
- Install LAN and WLAN cards in the WLAN firewall.
- Install Fedora Core 4 or newer on the WLAN firewall.
- Alter your /etc/modprobe.conf file as follows (change IO and IRQ to match)
WLAN Firewall Configuration
alias eth0 8139too alias eth1 8139too alias eth2 8139too alias eth3 8139too alias wlan0 ndiswrapper options eth0 io=0xc400 options eth1 io=0xc000 options eth2 io=0xbc00 options eth3 io=0xb800 alias usb-controller uhci-hcd
service network restart
service dhcpd start
chkconfig dhcpd on
WLAN Firewall Testing
These are the most important steps and you may as well stop here if you can't get through this testing.
- Log into the WLAN firewall and make sure that you can connect to (ping) other computers on your LAN.
- Copy the wlan_firewall script into /etc/rc.d/init.d/wlan_firewall
- Adjust the wlan_firewall script (particularly the lines starting with "NAT") to suite your network.
- Start the firewall by typing:
service wlan_firewall start
ssh 192.168.xxx.23 (change to your own IP address)
telnet 192.168.2.2 80
WLAN Radio Base Station Configuration
Only start on the following once all tests in the earlier section work.
- Connect your test PC to the eth1 (radio) side of the WLAN firewall.
- The WLAN DHCP server should provide your test PC with a suitable address. If this does not work, debug and correct the problem.
- Connect your WLAN router to the eth1 (radio) side of the WLAN firewall. Ensure that you connnect the green (Internet) port to the WLAN Firewall.
- Check that the WLAN Firewall dhcp server issues a new address to the device.
- Start a web browser on your test PC and turn off the proxy server setting so you use a direct connection.
- Navigate to 192.168.2.1 (the default address for the Belkin Router) and you should see the configuration page.
- Download the sample wlan_admcfg.cfg file from and use the admin facility to restore settings from this file. You can always do a hardware reset if things do not work or if you want to set the router up manually.
- Wait until the router resets (25 sec) then set a security password to stop users messing with your settings.
- To get browser to autoconfigure the proxy address: ensure that you have your DNS set up to point any request for wpad.your_domain.com to point to a web server containing wpad.dat in the web root directory. Ensure that the domain name that is configured in your WLAN Router is the same and your registered domain name as the browser will go through the auto-discovery sequence:
- Check for code 252 from DHCP. This would take it to proxy.pac, but this facility is not available in the Belkin WLAN router. grrr!
- Do an nslookup for wpad.your_domain.com. Attempt to auto-configure from http://wpad.your_domain.com/wpad.dat
- Set the proxy details from one of the above to 192.168.2.2:80.
WLAN Radio Base Station Testing
This is the easy part.
- Connect your test PC to one of the Ethernet ports on the WLAN router.
- Start a web browser on your test PC and set the proxy server address to 192.168.2.2 and check that the web can be accessed.
- Check that DNS works correctly using a DOS shell:
nmap 192.168.3.* nmap 192.168.2.* nmap 192.168.xxx.*
Using the configuration supplied in this project, you can administer both the WLAN Firewall and the WLAN Router from your internal network as follows:
- Log in to a PC on your private network and use the following to administer the WLAN Firewall:
ssh 192.168.xxx.23 (change to your own IP address)
Download the wlan_firewall script.
Download the wlan_dhcpd.conf script.
Download the wlan_admcfg.cfg script.
It may be worth reading some of the following links if you are encountering problems:
This is a growing project. Some enhancement ideas include:
- Provide email, time and web site facilities.
- Provide local SMB storage.
- You tell me...
Please let me know if you have problems setting this up or you have suggestions or corrections.
Click here to check out the list of other projects.
You may also like to click here to check out the list of Artificial Intelligence projects.
You might also like to submit your idea to our Free Ideas page for the benefit of other like-minded soles.