My WLAN

This is a brief description of my home WLAN presented in the hope that it might serve as a useful guide for anybody wanting to set up a similar system. I regularly see people asking how to build a WLAN for their home on various mailing lists, so maybe this will provide a useful overview for them.

Update
Yesterday I re-arranged my WLAN to incorporate a new wired segment. Details of the old setup can be found here.

Overview

My WLAN is an Ad-Hoc network with one machine ('satellite') connected to the internet through an Alcatel Speedtouch ADSL mode, Satellite also has a wired LAN connected to it. All my other machines connect to the internet through satellite.

Obviously, the first thing you need to do is configure all your network connections so that the machines can see one another - if you can't ping machine a from machine b, you really need to sort that out before messing around!

Satellite is my Toshiba Satellite running SuSE 9.0. It's connected to the internet via the Speedtouch ADSL modem. SuSE has a page here which describes how to get the modem running. SuSE claim that 9.0 works 'out of the box' with the Speedtouch, but that doesn't appear to be entirely true, so I followed the instructions for 8.0 and that worked. The page references 'speedmgmt.tar.gz' which it says can be downloaded from the Alcatel website, but Alcatel seem to have removed or hidden the file. As it happened, I had an old copy from a year or so ago and I used that - the make complains that the source was designed for a previous version of gcc, but it compiles anyway and it does work. If you want a copy, please Email me.

So, install the 'speedmgmt' software in the first instance, make the changes described in the SuSE webpage, plug in the modem and then use YaST to enter the connection details. Some notes:

• Select PPPoA
• The VPI/VCI textbox expects a dotted value, e.g. 0.38 for BT (my ISP)

Everything else is pretty straightforward. When completed, kinternet (the dialer software) will start. Click on the connection icon to connect, and again to disconnect. When connected you can use ifconfig to see the connection, which should appear as 'ppp0'.

The next step that you should take is to enable and configure the firewall using YaST. Unfortunately, the YaST dialogue is a bit simplistic - it's probably adequate for a simple setup, but it wasn't sufficient for what I wanted to do. So, I used YaST to start the firewall and produce a config file which I then edited by hand.

The firewall config file is ..

/etc/sysconfig/SuSEfirewall2

.. which I suggest you backup.

Luckily, it's fairly easy to setup by hand ;-)

What I wanted was to provide unlimited Internet access for every machine on the wired and wireless LANs and, at the same time, hide all the services running on satellite (HTTP, SMTP, POP3, SSH etc) from the Internet. So here's what I did:

• Set FW_QUICKMODE="yes". This secures only the external interface.
• Set FW_DEV_EXT="ppp0". This defines the external interface (the ADSL modem).
• Set FW_DEV_INT="eth0 eth1". These are the internal networks. eth0 is the wired LAN, eth1 the wireless.
• Set FW_ROUTE="yes". This activates routing between the internal and external interfaces.
• Set FW_MASQUERADE="yes". This means that all traffic going out onto the internet appears to come from satellite.
• Set FW_MASQ_DEV="$FW_DEV_EXT". This is the interface which the masqueraded traffic goes through (the value of FW_DEV_EXT, or ppp0)
• Set FW_MASQ_NETS="0/0". This allows unrestricted Internet access for all the machine on the internal networks.
• Set FW_PROTECT_FROM_INTERNAL="no". This means I can access all the services on satellite from the internal networks.
• Set FW_AUTOPROTECT_SERVICES="yes". This disables all connections to satellite from the Internet.

I left the rest of the options in SuSEfirewall2 empty. 'rcSuSEfirewall2 restart' restarts the firewall with the new config.

On my wireless clients I then set the default gateway to be the wireless card on satellite. Similarly, for the wired segment, the default gateway was set to the ethernet port on satellite. The running firewall on satellite takes care of port forwarding and masquerading, so that's all there is to it. Job done ;-)

This is my old setup!

Overview

My WLAN is an 'Ad-hoc' network with one machine ('gateway') connected to the internet using an Alcatel Speedtouch ADSL modem. The remaining machines connect to the internet through 'gateway'.

The details

I'll start with 'gateway'. This machine handles connectivity to the internet for all my other nodes. Hardware-wise, 'gateway' is fairly unimpressive. It's an old 266MHz 486 laptop with a minimal amount of RAM in it, the only real requirements were that it have a USB port for the ADSL modem and a PCMCIA slot for the 802.11b card. Luckily, there was just such a laptop gathering dust in my office, so that became 'gateway'. I spent quite a bit of time researching OS options for 'gateway' and eventually decided on Windows 98 SE. I rejected Linux after reading numerous articles describing difficulties in getting the Speedtouch modem to work even after kernel re-compiles. For a while I considered using Smoothwall Linux which is designed for just this kind of use and, apparently, supports the Speedtouch modem, but I was unable to determine if it would work on a laptop and support PCMCIA 'out of the box'. In the end I took the path of least resistance and opted to use Windows. Windows 98 SE includes support for 'Internet Connection Sharing' which allows you to share a network interface with another network interface - this feature is not available on Windows releases prior to 98 SE, including plain old 98. There's a similar feature in XP, but it looks (I've not tried it) to be slightly less straight forward in so much as it requires all the other machines to use DHCP served by the machine with the shared connection. The Linux equivalent is called masquerading, and I briefly describe that a bit further down this page.

So, I wiped the hard disc in 'gateway' and installed a fresh copy of 98 SE. Then I updated all the device drivers for the laptop hardware from Maxdata's website. Then I installed the ADSL modem drivers and connection software supplied by my ISP (British Telecom), followed by the drivers for my Xircom 802.11b card. Once the modem and WLAN devices were configured and working correctly I 'shared' the modem connection with the WLAN connection and that's about it.

I prefer to use fixed IPs on my WLAN, so I didn't need to set up a DHCP server on 'gateway'. I did, however, edit the Windows hosts file and added entries for all the other machines on my WLAN. One of the benefits of using Ad-hoc mode, IMO, is that you're not reliant on one machine to handle all the network connections which means a single point of failure in one machine doesn't disable your network or prevent other nodes from obtaining IP addresses. Even if 'gateway' is switched off, all the other nodes can still talk to each other.

The other machines on my WLAN are described elsewhere on this site, so I won't describe them here. The exception is my wife's machine which is a new-ish Packard Bell desktop in the spare bedroom. I bought an Actiontec USB 802.11b adapter for this machine which came with its own drivers and runs flawlessly.

Getting them talking

Since I'm using fixed IPs, the first thing I did was to make sure that all my nodes had entries for all my other nodes in their hosts file (/etc/hosts in Linux, WINDOWSDIR\system32\drivers\etc\hosts in XP, WINDOWSDIR\hosts in Win98 etc) so that all the machines could take a machine name e.g. 'sat802' and know which IP address that machine is on.

192.168.0.1        gateway
192.168.0.2        sat802
192.168.0.3        vaio802
192.168.0.4        atsuko
192.168.0.5        lib802
192.168.0.6        zau802
192.168.0.7        ux50
192.168.0.8        xbox

Once that's done, all you need to do is tell all your machines to use one machine as a gateway. In my case, that machine is, literally, 'gateway'. Quite how you do this is up to you, or your Linux distro / Windows version. As an example, on my Vaio I'm running Kondara, which is based on Redhat, and I use this ifcfg-eth1 script:

DEVICE=eth1
ONBOOT=no
IPADDR=192.168.0.3
NETMASK=255.255.255.0
BROADCAST=192.168.0.255
GATEWAY=192.168.0.1

Obviously you'll need to make sure that all your wireless adapters are using the same settings for ESSID and channel number, and that they're all configured to use Ad-hoc mode. As an example, on my Vaio I use this command:

iwconfig eth1 essid "MYWLANNAME" channel 6 mode Ad-hoc rate auto

... Windows devices usually come with some kind of configuration interface for this.

WEP

I use WEP on my WLAN to stop casual eavesdroppers from listening in and to disallow other people from joining my network and accessing my machines and resources. I am well aware that WEP is broken so I use ssh and scp internally whenever I need to access one of the machines, or copy files between them. If someone was to recover my keys the most exciting thing they'd see would be me browsing the web or collecting my Email ;-) My Linux machines are all secure anyway, and enabling the XP Firewall thingy on Atsuko's machine has hopefully secured that. On 'gateway' I was careful to install a bare bones system and I've made sure that there are no services listening on any of ports that could lead to a break in. In fact, 'gateway' is near enough invisible on the internet. I also use Kismet to regularly scan for other wireless nodes in my area, just to make sure that nobody's associated with my network who shouldn't be. See the man entry for iwconfig for more details.

That's it

And that's about all there is to it.

Actually, there's one other thing ..

When I'm in the office I plug my Satellite or Vaio into the wired LAN, plug in a wireless card and then masquerade (NAT) for the Zaurus and the UX50 so that I can access the internet on the PDAs by going through the Satellite to the wired LAN. To do this I run a simple shell script on the Satellite ..

echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -A FORWARD -i eth0 -o eth1 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
route del default
route del default
route add default gw 192.168.254.254

.. and then make sure that the Zaurus or UX50 is using the Satellite as its gateway with this script on the Z ..

route del default;route add default gw 192.168.0.2

.. or by changing the network settings on the UX50.

A very brief explanation:

The first script enables IP forwarding (1st line), and then starts forwarding packets for eth1 (the wireless interface) and eth0 (the wired interface) (lines 2, 3, & 4). The two 'route del default' lines are there because my office has two ADSL lines and the DHCP server sets them both as default (don't ask), the final line manually adds a default route.

The second script simply deletes the default gateway on the Zaurus, and then sets it to the IP address of the Satellite.

Be aware that this is a quick and dirty way to use masquerading and is not secure in itself. However, both of the office ADSL lines go through a well configured firewall so I'm not expecting any attacks to come in from the internet. If you intend to masquerade directly out onto the internet you should read the iptables man pages to make sure your gateway and the Zaurus are safe from evil hackers.

The machines