Acacia Free Wireless LAN

Quick Settings

If you are close to Acacia (in Melba, ACT - Australia), you will see a Wireless LAN called AcaciaLTPublicWWW that you can connect to by setting the following:

• SID = AcaciaLTPublicWWW
• WEP = disabled
• Network Authentication = none
• Access point = true
• Proxy Server = 192.168.2.254 port = 3128 (should be automatic for IE and Mozilla)

All that we ask is that you comply with our Acceptable Use Policy and that you email us to tell us your experience with this facility.

Overview

Note: this project has been upgraded to the new MegaRouter and this page is currently being updated. FC4 is used for routing between 5 subnets and works really well. Geoff. 4 Apr 06.

The aim of this project is to share spare Internet capacity with others in the local area without exposing the Acacia LAN to the world. This is a major problem with the simplistic approach taken by the WLAN equipment suppliers. It seems so simple to purchase a WLAN base station router, connect it to your ADSL modem and network, and provide roaming access all over your property! The catch is that everyone within radio range also has access to your PCs and data. The firewall in these devices is only designed to protect your network from the Internet, but leaves your LAN fully exposed to anyone within radio range. Don't forget that directional antennas such as used for satellite TV can be used to connect to your WLAN from up to 2 km away.

This project provides all of the details that you will need in order to set up a similar shared access facility.

Although this project looks very straight forward, it took a number of days to get it all functioning. The main difficulty is that all components link together like a chain, and any one setting (like your browser proxy setting) can make it appear that nothing is working. I trust that the steps set out in this project will let you avoid much of this pain.

Background

The Acacia network started off with a single Windows 98 PC, configured with a network card connected to an ADSL modem. As soon as this was working, another NIC was added and connected to an 8 port network hub and from this to a number of other Windows and Linux PCs. Hardware problems with the ADSL modem meant resetting by switching power on and off was needed. Linux with 240V X10 control soon entered the equation, pinging Internet sites and doing an automatic power reset operation as required to retain Internet connectivity.

This configuration is probably typical of many small networks, but note the lack of firewall, proxying and dependence on unreliable Windows systems.

Acacia soon moved to a seperate Linux based firewall (ipchains), and using RP ADSL software. Separate web and mail servers were added.

The first attempt to hook up a WLAN access point quickly revealed the security vulnerabilities noted above and the device was removed. Later, an extra internal firewall was added to isolate the WLAN device into a subnetwork and force all traffic through the main gateway to the Internet. This had problems as many of the LAN facilities such as DHCP, DNS and Web Server had to be exposed from the protected LAN out to the WLAN.

The final iteration of WLAN facilities is described in this project. The installation is based on a "MegaRouter" with 6 network interfaces including:

• eth1 via ppp0 to the Internet
• eth0 to the Acacia LAN
• eth2 to the DMZ containing the Acacia Web Server
• wlan0 to an internal WLAN card for WLAN routing (future)
• ppp1 via USB to a BlueTooth access point
• eth3 to a WLAN access point

The "MegaRouter" makes it simple to implement a comprehensive firewall to handle all traffic between all subnets. It also allows any required services to be masqeraded directly at the network interface whilst allowing them to be hosted on any of the subnets.

Physical Configuration

As can be seen in the following diagram, the "MegaRouter" consists of a single Linux server with 6 network ports running iptables firewall. In order to support web access, DHCP, DNS and Squid proxy servers are also installed.

Hardware

To emulate this public access WLAN configuration, you will need:

• An old 486 or better PC to act as the firewall.
• A configured ADSL connection. This project just plugs into your LAN.
• A Belkin 802.11g Router (54 Mbps 2.4GHz).
• A test PC or Laptop with a WLAN card.

And optionally:

• A bluetooth USB dongle.
• An old satellite antenna and internal WLAN card.

Software

In order to implement this project in your own environment, you will need one or more PCs with the following software installed:

• Secure Shell Client (SSH) for the firewall test and configuration PC.
• iptables on the WLAN firewall.
• Domain Name Service.
• Dynamic Host Configuration Protocol.
• A web proxy server.
• Linux (Fedora 4 or newer)

Configuration and Testing

This is a fairly complex project, but the following steps should guide you through the process:

WLAN Firewall Configuration

• Install LAN and WLAN cards in the WLAN firewall.
• Install Fedora Core 4 or newer on the WLAN firewall.
• Alter your /etc/modprobe.conf file as follows (change IO and IRQ to match)

	alias eth0 8139too
	alias eth1 8139too
	alias eth2 8139too
	alias eth3 8139too
	alias wlan0 ndiswrapper
	options eth0 io=0xc400
	options eth1 io=0xc000
	options eth2 io=0xbc00
	options eth3 io=0xb800
	alias usb-controller uhci-hcd
		

• Edit the files the network configuration files to adjust your IP address etc on each network card using:

	vi /etc/sysconfig/network-scripts/ifcfg-eth?
		

• Restart you network interfaces using:

	service network restart
		

• Check that you have suitable and different network addresses on each card using:

	ifconfig
		

• Connect eth0 to your existing network.
• Edit the DHCP server configuration file (see code section for sample file) on your WLAN firewall using:

	vi /etc/dhcpd.conf
		

• Start the dhcpd process using:

	service dhcpd start
		

• Ensure that it runs automatically after each reboot:

	chkconfig dhcpd on
		

• If you want to log firewall messages to a separate file instead of /var/log/messages, edit the /etc/syslog.conf file and add the following line:

	kern.=debug     /var/log/firewall
		

• If you want to capture logs from your WLAN Router, edit /etc/sysconfig/syslog to turn on the -r option and point the WLAN Router syslog setting to your WLAN Firewall.

WLAN Firewall Testing

These are the most important steps and you may as well stop here if you can't get through this testing.

• Log into the WLAN firewall and make sure that you can connect to (ping) other computers on your LAN.
• Copy the wlan_firewall script into /etc/rc.d/init.d/wlan_firewall
• Adjust the wlan_firewall script (particularly the lines starting with "NAT") to suite your network.
• Start the firewall by typing:

	service wlan_firewall start
		

• Check the output for errors and correct any problems such as missing software (iptables).
• Connect your test PC to the eth0 (LAN) side of the WLAN firewall.
• Your LAN DHCP server should provide your test PC with a suitable address.
• Login from your test PC into the WLAN firewall using secure shell, as this is allowed by the firewall script:

---

Documentation updates completed above this point

---

	ssh 192.168.xxx.23          (change to your own IP address)
		

• Ensure that you can restart the firewall and perform administrative functions.
• Connect your test PC to the eth1 (radio) side of the WLAN firewall.
• The WLAN DHCP server should provide your test PC with a suitable address. If this does not work, debug and correct the problem.
• Start a web browser on your test PC and set the proxy server address to 192.168.2.2 and check that the web can be accessed. If this does not work, check security settings and logs on your proxy server. You can check access using:

	telnet 192.168.2.2 80
		

• Check that DNS works correctly using a DOS shell:

	nslookup telstra.com
		

WLAN Radio Base Station Configuration

Only start on the following once all tests in the earlier section work.

• Connect your test PC to the eth1 (radio) side of the WLAN firewall.
• The WLAN DHCP server should provide your test PC with a suitable address. If this does not work, debug and correct the problem.
• Connect your WLAN router to the eth1 (radio) side of the WLAN firewall. Ensure that you connnect the green (Internet) port to the WLAN Firewall.
• Check that the WLAN Firewall dhcp server issues a new address to the device.
• Start a web browser on your test PC and turn off the proxy server setting so you use a direct connection.
• Navigate to 192.168.2.1 (the default address for the Belkin Router) and you should see the configuration page.
• Download the sample wlan_admcfg.cfg file from and use the admin facility to restore settings from this file. You can always do a hardware reset if things do not work or if you want to set the router up manually.
• Wait until the router resets (25 sec) then set a security password to stop users messing with your settings.
• To get browser to autoconfigure the proxy address: ensure that you have your DNS set up to point any request for wpad.your_domain.com to point to a web server containing wpad.dat in the web root directory. Ensure that the domain name that is configured in your WLAN Router is the same and your registered domain name as the browser will go through the auto-discovery sequence:
• Check for code 252 from DHCP. This would take it to proxy.pac, but this facility is not available in the Belkin WLAN router. grrr!
• Do an nslookup for wpad.your_domain.com. Attempt to auto-configure from http://wpad.your_domain.com/wpad.dat
• Set the proxy details from one of the above to 192.168.2.2:80.

WLAN Radio Base Station Testing

This is the easy part.

• Connect your test PC to one of the Ethernet ports on the WLAN router.
• Start a web browser on your test PC and set the proxy server address to 192.168.2.2 and check that the web can be accessed.
• Check that DNS works correctly using a DOS shell:

	nslookup telstra.com
		

• Remove the network lead from your test PC and insert the WLAN card.
• Connect to the WLAN.
• Repeat the above tests.
• You may also like to do some basic security checks using a tool like nmap:

nmap 192.168.3.*
nmap 192.168.2.*
nmap 192.168.xxx.*
		

• Log into a PC on your private network and start a browser. Point it to 192.168.3.1 to administor your WLAN router.
• Congratulations - you are done!

Administration

Using the configuration supplied in this project, you can administer both the WLAN Firewall and the WLAN Router from your internal network as follows:

• Log in to a PC on your private network and use the following to administer the WLAN Firewall:

	ssh 192.168.xxx.23          (change to your own IP address)
		

• Log in to a PC on your private network and start a browser. Point it to 192.168.xxx.23 to administor your WLAN router.

Code

Download the wlan_firewall script.

Download the wlan_dhcpd.conf script.

Download the wlan_admcfg.cfg script.

Links

It may be worth reading some of the following links if you are encountering problems:

• iptables FAQs
• Automated wireless registration system

Ideas

This is a growing project. Some enhancement ideas include:

• Provide email, time and web site facilities.
• Provide local SMB storage.
• ...
• You tell me...

Please let me know if you have problems setting this up or you have suggestions or corrections.

Click here to check out the list of other projects.

You may also like to click here to check out the list of Artificial Intelligence projects.

If you would like to get any further information on this or any of the other projects shown on this web site, please send an email to Acacia Lateral Technologies. or place a comment in our Guest Book

You might also like to submit your idea to our Free Ideas page for the benefit of other like-minded soles.

(C) Acacia Lateral Technologies 1998
This page was last updated Saturday, 19-Dec-2009 12:34:18 EST. HOME