Results 1 to 7 of 7

Thread: HOWTO: Create Wired/Wireless Router with dnsmasq

  1. #1
    Join Date
    Jan 2007
    Location
    Albany, NY, US
    Beans
    64
    Distro
    Kubuntu 10.10 Maverick Meerkat

    HOWTO: Create Wired/Wireless Router with dnsmasq

    I made my own custom wireless and wired router and I had to search around a lot to figure out how to do it. So, I decided to post what I did here to help others. I don't have much time to field a lot of questions or suggestions so I hope others can answer any questions.

    Alright! Let's get started.

    Tutorial Instructions
    This tutorial will show you how to create a wireless and/or wired router. Instructions in green are only necessary for the wired router. Things in purple are for wireless only. So, if you only want a wired router, ignore the purple stuff. If you only want a wireless router ignore the green stuff. If you want both, then follow all instructions. If you want neither, then why are you reading this? For input in files bold things are lines you need to add, and things in red must be changed. Things underlined are optional.

    What you need
    A computer w/ a wired network card
    Monitor and Keyboard (only necessary for installation)
    An ubuntu server CD (Get it here)
    A wireless network card
    A second wired network card
    A switch (One of these is fine) or a crossover cable if you only want one computer on your LAN

    Choosing a wireless card
    You need to make sure that the wireless card you choose not only works in Linux but can be put into Master Mode. Unfortunately, I couldn't find any good resources on that. I'm using a D-Link DWL-G550 because it has an external antenna and it works in Linux in Master Mode.

    Install Ubuntu
    Install according to your wishes. If you need help there, a good tutorial is here.
    You only need to follow the first 2 pages of that tutorial!


    You will be prompted to select which interface you want to be configured with DHCP. Just choose the first one unless you have some reason to do otherwise.

    Get started
    Instead of sudoing a lot, we'll just become root:
    Code:
    sudo -s

    Get your wireless working
    Install the drivers for your wireless card. If you're not using an Atheros chipset you'll have to find instructions elsewhere to get it going then move on the the next part. If you do have an Atheros then read on.

    Check if you have an Atheros card:
    Code:
    lspci | grep Atheros
    If that shows your card you're good to install the driver. You can check for compatibility here.

    The newer Atheros drivers don't support Master mode. We need to install the older madwifi driver. We'll get the latest stable madwifi driver with subversion.
    Code:
    sudo aptitude install linux-headers-`uname -r` subversion build-essential
    sudo svn checkout http://svn.madwifi-project.org/madwifi/trunk/ madwifi
    This will take a little bit. Then we'll install the driver:
    Code:
    cd madwifi
    sudo make
    sudo make install
    And we need to blacklist the other Atheros drivers.
    Code:
    nano /etc/modprobe.d/blacklist.conf
    and add these lines:
    Code:
    blacklist ath9k
    blacklist ath5k
    
    Save and exit (Ctrl+X)

    Now you'll need to put it in Master Mode. Edit this file
    Code:
    nano /etc/modprobe.d/madwifi.conf
    and type this:
    Code:
    options ath_pci autocreate=ap
    Save and exit (Ctrl+X)

    Configure your network interfaces
    Check to make sure your internet is plugged in and working. If you have more than one wired card you may need to try both cards to find the one setup with DHCP. Test with:
    Code:
    ping google.com
    If you get a response then you're good to go. If you don't get a response, try the other card.

    Assuming that's working, take a look at your interfaces:
    Code:
    ifconfig -a
    You should see all your interfaces. If your wireless (probably ath0) isn't showing up, then something went wrong installing the drivers. eth0 should be your WAN and should have an "inet addr" assigned. eth1 would be your LAN interface. If eth1 has an inet addr assigned then your eth0 and eth1 are switched. That means that from now on you need to swap these in the rest of the tutorial instructions.

    Now, we need to setup your ip addresses. If you have both wired and wireless interfaces there are two options. The first option serves different ip addresses to either the wired and wireless networks. It doesn't affect whether the computers in the LAN can see each other, it just gives them different ip addresses. The second option bridges the interfaces together into one so that ip addresses are served from a common pool. If you just have wired or just wireless, follow the first option instructions.

    Option 1 (Keep them separated)
    Since most commercial routers use 192.168.0.xxx, I chose 192.168.1.xxx for the LAN, and 192.168.2.xxx for the WLAN. You're free to choose whatever you want, but be careful to propagate those changes to the rest of the instructions. Let's set them up:
    Code:
    nano /etc/network/interfaces
    You file should look like this after you add the lines in bold:
    Code:
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet dhcp
    
    auto eth1
    iface eth1 inet static
    	address 192.168.1.1
    	network 192.168.1.0
    	netmask 255.255.255.0
    	broadcast 192.168.1.255
    
    auto ath0
    iface ath0 inet static
    	wireless-mode master
    	wireless-essid myessid
    	wireless-key s:mykey
            wireless-channel 1
    	address 192.168.2.1
    	network 192.168.2.0
    	netmask 255.255.255.0
    	broadcast 192.168.2.255
    The first underlined line is for wireless encryption. It is not necessary, but recommended. Change myessid to whatever you want your wireless network to be called. And change mykey to whatever ASCII password you want to use. The second line lets you change the channel in case a particular channel is heavily used.

    Save and exit (Ctrl+X).

    Option 2 (Bridge them)
    First we need to install the necessary packages to bridge the interfaces:
    Code:
    apt-get install bridge-utils
    Since most commercial routers use 192.168.0.xxx, I chose 192.168.1.xxx for the LAN/WLAN. You're free to choose whatever you want, but be careful to propagate those changes to the rest of the instructions. Let's set them up:
    Code:
    nano /etc/network/interfaces
    You file should look like this after you add the lines in bold:
    Code:
    auto lo
    iface lo inet loopback
    
    auto eth0
    iface eth0 inet dhcp
    
    #Internal(LAN) interface eth1 is brought up when br0 is
    
    auto ath0
    iface ath0 inet manual
    	wireless-mode master
    	wireless-essid myessid
    	wireless-key s:mykey
            wireless-channel 1
    
    #Network bridge
    auto br0
    iface br0 inet static
           address 192.168.1.1
           network 192.168.1.0
           netmask 255.255.255.0
           broadcast 192.168.1.255
           bridge-ports eth1 ath0
    The first underlined line is for wireless encryption. It is not necessary, but recommended. Change myessid to whatever you want your wireless network to be called. And change mykey to whatever ASCII password you want to use. The second line lets you change the channel in case a particular channel is heavily used.

    Note: Instructions with the bridged interface will be a little different later on so pay attention.

    Save and exit (Ctrl+X).


    Reboot and verify that the interfaces have the ip addresses you just chose for them:
    Code:
    reboot
    ifconfig

    Serve up some ip addresses
    Now it's time to setup dnsmasq to give ip addresses and DNS services to your LAN/WLAN.

    Install it:
    Code:
    sudo -s
    apt-get install dnsmasq
    Now let's set it up:
    Code:
    nano /etc/dnsmasq.conf
    For non-bridged interfaces, go to the end of the file and add the following lines:
    Code:
    interface=eth1
    dhcp-range=192.168.1.100,192.168.1.250,72h
    
    interface=ath0
    dhcp-range=192.168.2.100,192.168.2.250,72h
    And if your interfaces are bridged, go to the end of the file and add the following lines instead:
    Code:
    interface=br0
    dhcp-range=192.168.1.100,192.168.1.250,72h
    Save and exit (Ctrl+X).

    Restart dnsmasq:
    Code:
    /etc/init.d/dnsmasq restart

    Test dnsmasq
    Hook up your switch from your 2nd wired card and hook another computer into the switch. Your other computer should be able to connect and receive an ip address.

    You should see your wireless network on another wireless computer. Go ahead and connect with your key. You should be able to connect and receive an ipaddress.

    Check your ip address on your other computer(s):
    Code:
    ifconfig
    The ip should match the ip addresses that dnsmasq is supposed to serve.

    Note: Although your LAN/WLAN computers are connected, there's no internet yet. So don't panic!

    Share the love
    Now it's time to bring the internet to the masses.

    First we flush and current traffic rules we may have:
    Code:
    iptables -F
    iptables -X
    iptables -t nat -F
    iptables -t nat -X
    iptables -t mangle -F
    iptables -t mangle -X
    iptables -t raw -F
    iptables -t raw -X
    Now for non-bridged interfaces, these commands should turn on packet forwarding:
    Code:
    iptables -A FORWARD -i eth1 -s 192.168.1.0/255.255.255.0 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
    iptables -A FORWARD -i ath0 -s 192.168.2.0/255.255.255.0 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.2.0/255.255.255.0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    For bridged interfaces, use these instead:
    Code:
    iptables -A FORWARD -i br0 -s 192.168.1.0/255.255.255.0 -j ACCEPT
    iptables -A FORWARD -i eth0 -d 192.168.1.0/255.255.255.0 -j ACCEPT
    iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    And we need to turn ip forwarding on in the kernel:
    Code:
    echo 1 > /proc/sys/net/ipv4/ip_forward
    Now give it a whirl. Try connecting to a website from a computer on your LAN/WLAN. If it works, congrats! But keep reading - you're not done yet!

    Optional: SSH Server
    Install it and punch a hole in the firewall so you can access it from the WAN.
    Code:
    apt-get install openssh-server

    Optional: A little security
    We'll setup some iptables rules to increase the security a bit. It's not strictly required, but it's a good idea.

    We'll setup default policies to handle unmatched traffic. We'll drop all incoming traffic and all forwarded (traffic destined for our LAN/WLAN) but we'll allow all traffic originating from our router.
    Code:
    iptables -P INPUT DROP
    iptables -P OUTPUT ACCEPT
    iptables -P FORWARD DROP
    We'll allow all traffic coming to our router from itself:
    Code:
    iptables -I INPUT 1 -i lo -j ACCEPT
    And we'll allow all traffic heading to the router that is coming from the LAN/WLAN. This makes all of the services from the router (ftp, samba, etc) accessible from our internal network but it remains closed to the public.

    For non-bridged interfaces:
    Code:
    iptables -I INPUT 1 -i eth1 -j ACCEPT
    iptables -I INPUT 1 -i ath0 -j ACCEPT
    For bridged interfaces, use:
    Code:
    iptables -I INPUT 1 -i br0 -j ACCEPT
    We want to allow all requests initiated from our router to continue:
    Code:
    iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
    The earlier iptables rules should still handle forwarding traffic. So we're done. Now, if we have any services like ftp or ssh on our router that we'd like to open to the public we need to poke holes in our firewall. For each service we need to run this command:
    Code:
    iptables -A INPUT -p type --dport port -i eth0 -j ACCEPT
    Change type to the packet type: tcp or udp. Change port to the port number. For example, a SSH server runs with tcp on port 22.

    Optional: Port Forwarding
    If you have services running on a computer in your internal network that you want to be public you'll need to forward the ports on the router to it. You can even change the port number in the process. For example, if you run a SSH server on your internal computer on the standard port 22, you can have the port 1022 on your router forward to port 22 on your internal computer. This lets you still have a SSH server running on your router with port 22 without conflicting.
    Code:
    iptables -t nat -A PREROUTING -p type --dport in-port -j DNAT --to ip:out-port
    type is tcp or udp. in-port is the port incoming to your router (1022 in the above example). ip is the ip address of the internal computer to forward to. out-port is the port that the packets will have when they reach the internal computer. Omit the colon and the out-port to keep the port number unchanged.

    Optional: DHCP Hosts
    Dnsmasq will tend to give the same ip address to a computer time after time, but it's unpredictable. If you want to force a specific computer to have a certain ip address then edit your dnsmasq.conf file again. (This is helpful for the port forwarding rules above.)
    Code:
    nano /etc/dnsmasq.conf
    For each computer you want to have a permanent ip address enter this at the end of the file:
    Code:
    dhcp-host=Name,192.168.1.2
    Where Name is the name of the computer. Change the red number to whatever you want in range (2-255).

    Save and exit (Ctrl+X).

    Restart dnsmasq:
    Code:
    /etc/init.d/dnsmasq restart
    Alternatively, you can give ip addresses using the computer's MAC address (get with ifconfig - HWaddr) using:
    Code:
    dhcp-host=id:MAC Address,192.168.1.2

    Make it stick
    Now we need to make all this stuff permanent. First, the kernel setting:
    Code:
    nano /etc/sysctl.conf
    Change this line:
    Code:
    #net.ipv4.conf.default.forwarding=1
    to this:
    Code:
    net.ipv4.ip_forward=1
    Now for the iptables:
    Code:
    iptables-save > /etc/iptables.conf
    nano /etc/rc.local
    Add this line before "exit 0":
    Code:
    iptables-restore < /etc/iptables.conf

    Optional: Dynamic DNS
    If you want to be able to access your router from your WAN you'll need to know its ip address. This can become a chore though, because most ISPs give you a dynamic ip address (i.e. one that changes). So you can either jot it down each time you leave the house or you can setup DNS. There are lots of places that provide free dynamic DNS services. I use DynDNS. After you have your account setup you need to tell their servers what your ip address is on a regular basis. You can do this with a dynamic DNS client call inadyn. Install it and try it out:
    Code:
    apt-get install inadyn
    inadyn -u username -p password --update_period_sec 600 --alias url --background
    Make sure to put in your username, password, and url!

    You can test it by pinging your url:
    Code:
    ping url
    Make this permanent:
    Code:
    nano /etc/rc.local
    Add this line before "exit 0":
    Code:
    inadyn -u username -p password --update_period_sec 600 --alias url --background

    Optional: Router, Know Thy Name!
    You may have noticed that computers on the LAN/WLAN can reach each other by the name of the computer thanks to Dnsmasq. Unfortunately, the router won't respond by its name by default. You have to use it's ip address (e.g. 192.168.1.1). But if you edit the hosts file on the router you can change that.
    Code:
    nano /etc/hosts
    Find the line that looks like:
    Code:
    127.0.1.1          Name
    And change it to:
    Code:
    192.168.1.1        Name
    Save and exit (Ctrl+X).

    Restart dnsmasq:
    Code:
    /etc/init.d/dnsmasq restart

    Printer/Scanner Server
    You can share a printer on your LAN by installing a CUPS server on your router.

    Install the server and edit the config file:
    Code:
    sudo apt-get install cupsys
    sudo cp /etc/cups/cupsd.conf /etc/cups/cupsd.conf.original
    sudo nano /etc/cups/cupsd.conf
    Find the line that says "Listen localhost:631" and change it to "Port 631".

    Find "Browsing Off" and change it to "Browsing On"

    Find the sections "<Location />", "<Location /admin>", "<Location /admin/conf>" and add "Allow all" on a line before the closing "</Location>".

    Close the file (Ctrl+X).

    Npw, add yourself to the 'lpadmin' group so that you can use the cups admin tools.
    Code:
    sudo adduser lpadmin username
    Restart the CUPS server and you should be up and running.
    Code:
    sudo /etc/init.d/cups restart
    Before you can use it, you must add your printer to CUPS. On a computer within your WLAN/LAN navigate your browser to http://192.168.1.1:631/ (your router's internal ip address on port 631). From here you can perform all CUPS admin stuff. The first thing you should do is add your printer from Administration->Add Printer. Enter the admin username and password on the router when prompted. Once added, the printer should be available via ipp(Internet Printing Protocol) on port 631.

    If you have a scanner (or if your printer has a scanner attached) you can share that with SANE. You will connect using XSANE (Seems to be Linux only) from your LAN computers. Install this:
    Code:
    sudo apt-get install libsane-extras
    Now we need to tell the SANE daemon to run:
    Code:
    sudo nano /etc/default/saned
    Change "RUN=no" to "RUN=yes" and save and exit.

    Now edit this file:
    Code:
    sudo nano /etc/sane.d/saned.conf
    After the line "#scan-client.somedomain.firm"
    Add a line that says:
    Code:
    192.168.1.0/24
    (Note: Tailor this to the right subnet for the correct subnet address.)

    Reboot the router and it should be good to go. You can test with:
    Code:
    scanimage -T
    On Karmic there is a permissions bug that may only allow you to access the scanner as root. Click here to see this bug. The fix is comment 24.

    On your LAN computers, you'll need to edit this file:
    Code:
    sudo nano /etc/sane.d/net.conf
    At the very end of the file add the ip address of your router on a line by itself.

    Now run XSANE and if should find the remote scanner. Happy scanning!

    Final Words
    There you go. Hopefully it should all be working. If not, check out these references to see if your question is answered there. Good luck!

    References
    Last edited by hedgefighter; December 11th, 2009 at 08:50 PM.

  2. #2
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,482
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: HOWTO: Create Wired/Wireless Router with dnsmasq

    Would you also consider explaining how to configure WPA/WPA2? WEP isn't the latest security standard and is highly flawed & insecure. Nice guide apart from this.

  3. #3
    Join Date
    Jan 2007
    Location
    Albany, NY, US
    Beans
    64
    Distro
    Kubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Create Wired/Wireless Router with dnsmasq

    Thanks a lot. As I said I don't have too much time to maintain this. I just spent a lot of time gathering the information and thought I'd share it. WEP is good enough for my needs. I really just have it to keep my neighbors from hopping on my wireless. I'm more than happy to get WPA setup, but it would take me a while to do it with my schedule. If you have any specific instructions I'd be happy to add them. I notice that you seem to be an expert in that area.

  4. #4
    Join Date
    May 2006
    Location
    100acrewood
    Beans
    7,482
    Distro
    Kubuntu 14.04 Trusty Tahr

    Re: HOWTO: Create Wired/Wireless Router with dnsmasq

    Not quite an expert, really, but perhaps it is not even necesarry looking at it again. People can easily combine information found here with staff from other threads. So I guess it'll be OK. Again, thanks for your thread, it looks really neat. Hope you find time to support users.

    TURTLE POWER!

  5. #5
    Join Date
    Jan 2007
    Location
    Albany, NY, US
    Beans
    64
    Distro
    Kubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Create Wired/Wireless Router with dnsmasq

    Yeah, that's a good point. There's so many things you could do with it from this point like ftp and http servers. Hopefully the basic setup will be sufficient. Thanks again.

  6. #6
    Join Date
    Jan 2008
    Beans
    13

    Re: HOWTO: Create Wired/Wireless Router with dnsmasq

    Thanks! I got my pc working as a router with this howto. I do have a question. Before turning the pc into a router I had the Guarddog firewall running, according to www.grc.com it was stealth. Now the first 1023 ports are stealth, the others are closed.

    The last two lines of your firewall rules are:
    iptables -A INPUT -p TCP -i eth0 -d 0/0 --dport 0:1023 -j DROP
    iptables -A INPUT -p UDP -i eth0 -d 0/0 --dport 0:1023 -j DROP

    It would seem to me that by changing them a bit I could make the machine stealth again?

  7. #7
    Join Date
    Feb 2012
    Beans
    1

    Re: HOWTO: Create Wired/Wireless Router with dnsmasq

    Hi all..

    I'm a Linux noob that wanted to use UFW instead of iptables to setup the firewall-part of this guide. I'm not sure if i have done this right so feel free to comment...

    This is what i did..

    In /etc/default/ufw change DEFAULT_FORWARD_POLICY to ACCEPT

    In /etc/ufw/sysctl.conf uncomment net/ipv4/ip_forward=1

    In /etc/ufw/before.rules add, from the top, after the comments...

    PHP Code:
    # nat Table Rules
    *nat
    :POSTROUTING ACCEPT - [0:0]

    # Forward traffic...
    -A POSTROUTING -s 192.168.1.0/255.255.255.0 -o eth0 -j MASQUERADE

    COMMIT

    # allow all on loopback
    -A ufw-before-input -i eth1 -j ACCEPT #added this here 
    Shields up on www.grc.com shows that the firewall is ok.

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •