HOWTO: Setup Ubuntu as a wireless router

[pedalwrench]

Update: this is now working.
It looks like my issue with bridging was and is a hardware issue.
The Atheros card will not come on-line after a reboot, but will come up on a hard power cycle.

My first How To, and it is kind of long.

Basically I was sick of my Linksys router being to slow and I decided I wanted some more power.

This took a long time to work through and get running. Hopefully I got it all.

First off you will need a spare machine, some NICs and a lot of patience. Also a working knowledge of nano and the console would be nice.

My Hardware Specs:
Old Micron Desktop Computer with everything onboard/built in
Celeron 400 MHZ
384mb RAM
40GB HDD
Atheros based cheap wireless NIC from Compusa
2 Realtek 10/100 NICs

I chose the Atheros card because it was laying around in storage gathering dust. I also have a nice 10db antenna that hooks up to it.

For comments or complaints email me.
pedalwrench007 at gmail dot com

Here goes and have fun:

GOAL

To have a seamless replacement for my Linksys WRT54G with more wireless range and more control.

INITIAL

Install the basic Ubuntu Server [NO DNS or LAMP]
Enable the Universe Repo
apt-get update

Since this is a long How to you should just be root to config the server.

type the command:

Code:

sudo su -

and enter your password...

SETUP THE NETWORK
3 interface setup

my eth0 is broken and on-board so I had to add a card [YMMV]
eth1 is the WAN interface (gateway)
eth2 is the LAN interface
ath0 is the wireless card
br0 is the bridged connection of ath0 and eth2

Setup bridging

Code:

apt-get install bridge-utils

Then edit the network config

Code:

nano /etc/network/interfaces

Code:

 # This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

#MY BROKEN INTERFACE (3com on-board)
#auto eth0
#iface eth0 inet dhcp
#pre-up iptables-restore < /etc/iptables.conf

# Gateway 
# You should set this to DHCP if your cable/DSL ISP provides it.
# the "pre-up" command brings up the iptables "firewall"
# it is just set to static for testing purposes.  see eth0 for DHCP setup.
auto eth1
iface eth1 inet static
address 192.168.1.17
netmask 255.255.255.0
gateway 192.168.1.1
pre-up iptables-restore < /etc/iptables.conf

#Wireless Setup
auto ath0
iface ath0 inet manual
wireless-mode master
# CHANGE ME!!! to your own ESSID
wireless-essid pivotpoint

#Bridge interface
auto br0
iface br0 inet static
    address 10.1.1.1
    network 10.1.1.0
    netmask 255.255.255.0
    broadcast 10.1.1.255
    bridge-ports eth2 ath0

WIFI SETUP

Atheros card setup for routing
[resource = https://help.ubuntu.com/community/Router/Madwifi]
You have to install the Source to get the driver into Master mode for a WAP

Code:

wget http://umn.dl.sourceforge.net/sourceforge/madwifi/madwifi-0.9.2.1.tar.gz 
tar -xvzf madwifi-0.9.2.1.tar.gz
cd madwifi-0.9.2.1
apt-get install build-essential linux-headers-server 
make
make install

Edit your kernel modules loaded at boot time:

Code:

 nano /etc/modprobe.d/madwifi

add this to make sure the wireless card goes into Master mode:

Code:

options ath_pci autocreate=ap

FIREWALL

run these commands:
[resource = https://help.ubuntu.com/6.10/ubuntu/...iguration.html ]

[NOTE: ETH1 is the gateway interface. YMMV]

Code:

iptables -t nat -A POSTROUTING -s 10.1.1.0/24 -o eth1 -j MASQUERADE
iptables -A FORWARD -s 10.1.1.0/24 -o eth1 -j ACCEPT
iptables -A FORWARD -d 10.1.1.0/24 -m state --state ESTABLISHED,RELATED -i eth1 -j ACCEPT

for logging add:

Code:

iptables -A INPUT -m state --state NEW -p tcp --dport 80 -j LOG --log-prefix "NEW_HTTP_CONN: "

The above log will also appear in /var/log/messages, /var/log/syslog, and /var/log/kern.log.

save to /etc/iptables.conf

Code:

iptables-save > /etc/iptables.conf

NOTE: This is a basic setup that only routes NAT packets. Please read up on firewalli
ng to protect your machine.

# Enable packet forwarding in the Kernel

Code:

nano /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4

Code:

net.ipv4.conf.forwarding=1

NOTE: Ubuntu has this for default:
#net.ipv4.conf.default.forwarding=1

Make sure you remove the word "default." there is no need for it

DHCP SERVER SETUP

A basic 10 machine DHCP server. Nothin' fancy

Install DHCP server:

Code:

apt-get install dhcpd

Config the server:

Code:

 nano /etc/dhcpd.conf

Code:

 # MY BASIC CONFIG /etc/dhcpd.conf

default-lease-time 600;
max-lease-time 7200;

#CHANGE THIS TO YOUR DNS SERVERS
option domain-name-servers 68.87.69.146, 67.87.85.98;
option domain-name "youdomainnamehere.com";

#Subnet for DHCP Clients
subnet 10.1.1.0 netmask 255.255.255.0 {
# range of 10 machines
range 10.1.1.50 10.1.1.60;
option subnet-mask 255.255.255.0;
option broadcast-address 10.1.1.255;
option routers 10.1.1.1;
}

You also need to edit /etc/default/dhcp file to specify the interfaces dhcpd
should listen to. By default it listens to eth0. We need to only have it listen to our local NIC {br0}

Code:

nano /etc/default/dhcp

Then add br0 like so:

Code:

 INTERFACES="br0"

INSTALL MONITORING

Darkstat

Stats with a http server

Code:

apt-get install darkstat

edit the config

Code:

nano /etc/darkstat/init.cfg

Code:

 # Turn this to yes when you have configured the options below.
START_DARKSTAT=yes

# Don't forget to read the man page.

# You must set this option, else darkstat may not listen to
# the interface you want
INTERFACE="-i eth1"

PORT="-p 8888"
#BINDIP="-b 127.0.0.1"
#LOCAL="-l 10.1.1.0/24"
#FIP="-f 127.0.0.1"
#DNS="-n"
#SPY="--spy eth1"

To see this point a browser to http://10.1.1.1:8888

Saidar

a neat little ap that shows server usage

Code:

apt-get install saidar

then

Code:

saidar

OTHER OPTIONAL

Disabling IPv6 for some speed improvments

Code:

nano /etc/modprobe.d/aliases

Comment out this line:

Code:

alias net-pf-10 ipv6

Save the file then

Code:

nano /etc/modprobe.d/blacklist

Add this line:

Code:

blacklist ipv6

Save the file

FINISH

restart your computer. Hopefully everything worked. If so, back it up!

BACKUP

[Reference = http://doc.gwos.org/index.php/Backup_restore_system ]

Code:

sudo su -
cd /
tar cvpjf backup.tar.bz2 --exclude=/proc --exclude=/media --exclude=/mnt --exclude=/dev --exclude=/lost+found --exclude=/backup.tar.bz2 --exclude=/tmp --exclude=/sys /

You will then have a tar ball that is your server all wrapped up in a bundle.
Store in a cool dry place.

FUTURE GOALS

Add Squid, and DNS-Masq.
Add Port Forwarding


References:
https://help.ubuntu.com/community/Br...workInterfaces https://help.ubuntu.com/community/Ub...lessRouter/New
http://www.netfilter.org/documentati...ing-HOWTO.html http://www.debianadmin.com/monitor-y...th-saidar.html https://help.ubuntu.com/6.10/ubuntu/...e/C/index.html http://www.debianadmin.com/network-t...tu-system.html

VERSION:
0.1 3-11-2007 - Re-Write. Setup is a little different. Changed firewall config, deleted squid, and dns-masq.
0.0 3-4-2007 - Initial write-up

[esaym]

Good work! Looks promising!

[BeachBum]

Cool! I just reinstalled Edgy (reverted back to i386) and need to provide some type of network access, much like you describe here. I wanted to know why you chose bridging, instead of routing? Besides the actual data "routing", are there any key differences between bridging and routing?

Thanks for any thoughts!

[pedalwrench]

Quote:

Originally Posted by BeachBum Cool! I just reinstalled Edgy (reverted back to i386) and need to provide some type of network access, much like you describe here. I wanted to know why you chose bridging, instead of routing? Besides the actual data "routing", are there any key differences between bridging and routing? Thanks for any thoughts!

Well, I just thought that would be the best way to make it look seamless, like a linksys or d-link router.

That is a great idea though. I may drop the bridging and go that route. The madwifi driver and wireless-tools doesn't seem to work well together with bridge-utils. Unless I am missing something.

For routing with out the bridge it should be pretty simple. just set the network up with separate interfaces, point dhcp and dns-masq to those interfaces, and then reconfig the firewall accordingly. It actually works that way.

[genesis[OFT]]

You probably should also note that it is of CRITICAL importance that you have a Wireless NIC that supports MASTER MODE.

[pedalwrench]

Quote:

Originally Posted by genesis[OFT] You probably should also note that it is of CRITICAL importance that you have a Wireless NIC that supports MASTER MODE.

so true, do you know of a list of approved wireless NICs/Drivers that support it. I will add it to the resource area.

I have to build the Madwifi driver from source to get it going.

[pentium4borg]

Isn't it better to sudo -s instead of sudo su - ?

[luca.b]

Some suggestions:

Instead of manipulating iptables directly, consider using shorewall (http://shorewall.net) it makes configuring iptables much easier and also enables creating "trusted" and "untrusted" zones pretty easily. Also doing NAT/masquerade and port forwarding is also easy.

Second, instead of installing a dhcp server, consider using the dnsmasq package. It's both a DHCP server and a DNS cache and works rather nicely on my Ubuntu software router (I notice you put it in the future plans, though).

For easy web administration, I use webmin (http://webmin.com). It's not in the Ubuntu repository but you can find a binary package on their web page. You can configure a lot of settings like that, including shorewall.

[Tichondrius]

To become root you only need to type "sudo -s"

And running a PC 24/7 will cost you 10 times as much as a wireless router, as far as the electricity bill.

[flashingcurser]

Very nice work!

I see you are thinking about some future additions to this article. A couple that I would like to suggest are:

Squid/dansguardian- So that if it was an open network no one could use it for illegal porn.

bandwidth control, total and for each individual connection- So no one could saturate your bandwidth with bittorent

homepage redirect- So people could see my shiny new site first. I think this could be done with squid.

I know that "Open wireless network" is a much maligned term. If secured properly, their usefulness is too good to be ignored.


Thank you