Difference between revisions of "Episode75"

From Security Weekly Wiki
Jump to navigationJump to search
Line 18: Line 18:
 
nvram set wan_proto="none"
 
nvram set wan_proto="none"
 
</pre>'''
 
</pre>'''
* Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection.  Put that APs on that subnet.
+
* '''Step 3''' - Create a separate VLAN or physical network, preferably with a separate Internet connection.  Put that APs on that subnet.
  
 
* '''Step 4''' - Harden and perfomance tune OpenWrt - Remove the packages that are not required:
 
* '''Step 4''' - Harden and perfomance tune OpenWrt - Remove the packages that are not required:

Revision as of 15:34, 3 July 2007

Wireless Guest Network: Part I

Equipment Used:

  • 2 WRT54GLs
  • 2 LINKSYS POE Adapter WAPPOE12 12V
  • OpenWrt "Whiterussian" 0.9

The nice part is, all this can be done for under $300, and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Below are the step-by-step guidelines for getting the initial setup going:

  • Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!
  • Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:
nvram set lan_ipaddr="10.10.10.5"
nvram set boot_wait="on"
nvram set wan_hostname="myap1"
nvram set wan_proto="none"
  • Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.
  • Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:
ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d
mv S50httpd disabled_S50httpd
mv S50telnet disabled_S50telnet
  • Step 5 - Enable DHCP on each of the access points:
cat > /etc/init.d/S60dnsmasq
#! /bin/ash

/usr/sbin/dnsmasq &

<CRTL-D>

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime)
dhcp-authoritative                         
dhcp-range=10.10.230.100,10.10.230.150,255.255.255.0,12h
dhcp-leasefile=/tmp/dhcp.leases                           
                                                          
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>                                           
read-ethers                                                   

# other useful options:                                       

# Default Gateway      
dhcp-option=3,10.10.230.1

# DNS Servers             
dhcp-option=6,192.168.10.6,192.168.10.7
  • Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.
  • Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command "nvram set wl0_channel=1". Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command "nvram set wl0_ssid="guestwireless".

You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math.

In Part II, we will show you how to implement a captive portal for guest authentication, and maybe even how to add some further layers of security such as intrusion detection and IP filtering.