From Security Weekly Wiki
Revision as of 14:54, 3 July 2007 by Pauldotcom (talk | contribs)
Jump to navigationJump to search

Wireless Guest Network: Part I

Equipment Used:

  • 2 WRT54GLs
  • 2 LINKSYS POE Adapter WAPPOE12 12V
  • OpenWrt "Whiterussian" 0.9
  • Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!
  • Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:
nvram set lan_ipaddr=""
nvram set boot_wait="on"
nvram set wan_hostname="myap1"
nvram set wan_proto="none"
  • Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.
  • Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:
ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d mv S50httpd disabled_S50httpd mv S50telnet disabled_S50telnet

  • Step 5 - Enable DHCP on each of the access points:

cat > /etc/init.d/S60dnsmasq

  1. ! /bin/ash

/usr/sbin/dnsmasq &


Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

  1. enable dhcp (start,end,netmask,leasetime)

dhcp-authoritative dhcp-range=,,,12h dhcp-leasefile=/tmp/dhcp.leases

  1. use /etc/ethers for static hosts; same format as --dhcp-host
  2. <hwaddr> <ipaddr>


  1. other useful options:
  1. Default Gateway


  1. DNS Servers


  • Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.
  • Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command "nvram set wl0_channel=1". Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command "nvram set wl0_ssid="guestwireless".

In Part II, we will show you how to implement a captive portal for guest authentication.