Episode75

From Security Weekly Wiki
Revision as of 14:54, 3 July 2007 by Pauldotcom (talk | contribs)
Jump to navigationJump to search

Wireless Guest Network: Part I

Equipment Used:

  • 2 WRT54GLs
  • 2 LINKSYS POE Adapter WAPPOE12 12V
  • OpenWrt "Whiterussian" 0.9
  • Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!
  • Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:
nvram set lan_ipaddr="10.10.10.5"
nvram set boot_wait="on"
nvram set wan_hostname="myap1"
nvram set wan_proto="none"
  • Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.
  • Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:
ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d mv S50httpd disabled_S50httpd mv S50telnet disabled_S50telnet

  • Step 5 - Enable DHCP on each of the access points:

cat > /etc/init.d/S60dnsmasq

  1. ! /bin/ash

/usr/sbin/dnsmasq &

<CRTL-D>

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:


  1. enable dhcp (start,end,netmask,leasetime)

dhcp-authoritative dhcp-range=10.10.230.100,10.10.230.150,255.255.255.0,12h dhcp-leasefile=/tmp/dhcp.leases

  1. use /etc/ethers for static hosts; same format as --dhcp-host
  2. <hwaddr> <ipaddr>

read-ethers

  1. other useful options:
  1. Default Gateway

dhcp-option=3,10.10.230.1

  1. DNS Servers

dhcp-option=6,192.168.10.6,192.168.10.7


  • Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.
  • Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command "nvram set wl0_channel=1". Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command "nvram set wl0_ssid="guestwireless".

In Part II, we will show you how to implement a captive portal for guest authentication.