From Security Weekly Wiki
Revision as of 17:58, 5 July 2007 by Larry (talk | contribs)
Jump to navigationJump to search

Wireless Guest Network: Part I

Equipment Used:

  • 2 WRT54GLs
  • 2 LINKSYS POE Adapter WAPPOE12 12V
  • OpenWrt "Whiterussian" 0.9

The nice part is, all this can be done for under $300, and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Below are the step-by-step guidelines for getting the initial setup going:

  • Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!
  • Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:
nvram set lan_ipaddr=""
nvram set boot_wait="on"
nvram set wan_hostname="myap1"
nvram set wan_proto="none"
nvram commit

[Larry] Added the nvram commit.

  • Step 3 - Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.
  • Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:
ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d
mv S50httpd disabled_S50httpd
mv S50telnet disabled_S50telnet
  • Step 5 - Enable DHCP on each of the access points:
cat > /etc/init.d/S60dnsmasq
#! /bin/ash

/usr/sbin/dnsmasq &


Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime)
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>                                           

# other useful options:                                       

# Default Gateway      

# DNS Servers             
  • Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.
  • Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command "nvram set wl0_channel=1". Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command "nvram set wl0_ssid="guestwireless" and "nvram commit" inorder to save teh nvram changes. [Larry] Added nvram commit.

You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math.

In Part II, we will show you how to implement a captive portal for guest authentication, and maybe even how to add some further layers of security such as intrusion detection and IP filtering.

Listener Feedback and News

E-mail added by [Larry] - Jim S. writes:

In episode 76 when you were discussing the new WiFi distance record, Nick was saying you can't direct a radio wave in flight.  We beg to differ. <pictures of waveguide>

[Larry] - So,I went back and read everything I could on Intel's new wireless bending. We were waaaay off the mark. Not in flight, but at transmit, for long range and "moving antennas". Only for slight variations!


Email added by [Larry] - Chris B. writes:

Hi Paul, 

On the last podcast you mentioned blackholing myspace on your home network.   Instead of blackholing myspace, I elected to rate limit the traffic to the slowest possible allowed on my home Cisco 831 router, which comes out to the equivalent of about a 9600bps modem.  This makes it very painful to browse as it takes a hell of a long time for the graphics to load. 

I did this because I have family and a cousin that lives with us.  They all know I work in computers/networks/security.  Without just blocking the sites, I can blame the 'slowness' on the web site and not 'something I did'.  Of course, the cousin gets his own limited user profile with no access to IE and a 'noscript' version of Firefox. 

Anyway, I was wondering what myspace networks you were blackholing?  I know they have a couple of CIDRs but they also use content distribution providers like Limelight networks and CWIE.   The networks I have on the rate limited access list are: CWIE myspace LLNW LLNW LLNW myspace 

And thanks for podcasting! 

[Larry] - A couple of comments here. Honestly, to protect my (and paul's networks, wouldn't even make those address ranges work at a slow speed! It is not the speed of the attack, it is just the access. Paul, if I recall, you use your own internal caching name server (see book). and created a sone for *.myspace.com, and redirect them to If you want myspace, go elsewhere. This makes it easier to get the big offender, but still allow some of the legit media distribution - akamai, and other providers.

Email added by [Larry] - Shlomo D. writes:

I was thinking about what you guys said in Episode 72.  It seems that
the most clueless tech people have access and are responsible for the
most important private information.  I'm talking about HR.  I know
that I wouldn't trust some of our HR people with a laptop, if I had a
choice.  They are very nice people, but not clueful on privacy issues.
From what I hear from our helpdesk crew, they can barely use outlook.
Try explaining how to "print" to a pdf and they give you the thousand
yard stare.  Now, put them in charge of 1000 people's confidential
information and I get worried.

You say, what about our Information Security people.  Oh, them,
they're in the US, and I'm in Israel. Not only that, they're from Arab
countries and will NEVER come here.  They scan our server subnet and
DMZ regularly.  They complain here and there about technical issues or
about someone they find doing P2P.  But company policy regarding HR
issues?  No, ours is on their own and Info Sec doesn't deal with them
at all.  Now I'm really worried.

Is there anything I can do about it?  Probably not.  I guess it's not
as much of an issue, b/c the payroll is on a closed system (seperate
PCs and network connections) and there is no SSN in this country, at
least nothing that is secret, everyone wants our Number for something.

Just my 2 cents worth. 

[Larry] Wow, so much seems to be wrong here. Let's discuss - onsite, policies, education, identifiable information....