Solved

wireless access point not quite working on Linux

Posted on 2013-06-19
11
508 Views
Last Modified: 2013-07-07
I have the following /etc/rc.d/rc.inet1.conf:
# Internet facing interface
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""

# This is the LAN interface
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.0"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Config information for wlan0:
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.128"
NETMASK[2]="255.255.255.0"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""

I have the following hostapd.conf:
interface=wlan0
driver=nl80211
ssid=ALLUNEEDIZLUV
hw_mode=g
channel=11
wpa=1
wpa_passphrase=mypass
wpa_key_mgmt=WPA-PSK

and the following dhcpd.conf:
authoritative;
option domain-name "alluneedizluv.local";
ddns-update-style none;

subnet 192.168.0.0 netmask 255.255.255.128 {
    option routers 192.168.0.1;
    range 192.168.0.100 192.168.0.127;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

subnet 192.168.0.128 netmask 255.255.255.128 {
    option routers 192.168.0.128;
    range 192.168.0.129 192.168.0.254;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

host rover {
  hardware ethernet 44:1E:A1:C8:E8:9B;
  fixed-address 192.168.0.102;
}

I have the following iptables settings:
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT

I start dhcp as: dhcpd eth1 wlan0

The wired interfaces have worked for some time. The wireless is recent. Everything *appears* to work with the wireless. I can see the ALLUNEEDIZLUV SSID from iPad and Android, and I can connect to them successfully. I see the connection and DHCP address assignment in /var/log/messages.

But, I can't connect to the Internet from these devices. Something must be wrong. I have a feeling it is in my iptables settings, but not sure. What am I doing wrong?
0
Comment
Question by:jmarkfoley
  • 6
  • 4
11 Comments
 
LVL 19

Expert Comment

by:jools
ID: 39261925
Do you have forwarding enabled in the sysctl.conf?
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39262316
yes:

$ cat /etc/sysctl.conf
net.ipv4.ip_forward = 1
0
 
LVL 76

Expert Comment

by:arnold
ID: 39263031
The issue is that on the wifi side, there is no path to 192.168.0.1 or/and a request might go out, but the response is being directed by iptables through eth0 instead of wlan0

Either use two separate segments and have the iptables entries dealing with traffic originating from wlan0 NAT output through eth1 and then have an entry on the filter forward side dealing with wlan0 segment being directed to wlan0 similar to a rule dealing with eth0 and the 192.168.0.0 segment.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39263061
As I mentioned elsewhere, I'm no iptables guru. I currently have:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT

I basically monkey-typed the 1st two entries from a router-HOWTO I found on the web -- and that worked -- and I simply cloned the eth1 line to make the wlan0. This was a guess on my part.

Could you send me what you think should be the right configuration and I'll give it a shot? eth0 is the Internet interface to the cable modem. eth1 is the interface to the LAN switch and wlan0 is also for the LAN.

THX
0
 
LVL 76

Expert Comment

by:arnold
ID: 39263087
The forward packet will match the first presumably the eth1 rule and route all traffic there.
Multi segment

The use of multiple segments will mean that you will add e IP segment to the check I.e.
Iptables --append FORWARD --in-interface eth1 -d 192.168.0.0/24 -j ACCEPT
Iptables --append FORWARD -d 192.168.1.0/24 --in-interface wlan0 -j ACCEPT

Switch the wireless to the other segment and then you can try positioning the wlan0 with the destination IP segment above the eth0 entry.
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 1

Author Comment

by:jmarkfoley
ID: 39264367
Hmmm, won't using 192.168.1. totally foop up my dhcp config?

subnet 192.168.0.0 netmask 255.255.255.128 {
    option routers 192.168.0.1;
    range 192.168.0.100 192.168.0.127;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

subnet 192.168.0.128 netmask 255.255.255.128 {
    option routers 192.168.0.128;
    range 192.168.0.129 192.168.0.254;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

What if I stuck with that subnetting and did:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -d 192.168.0.0/25 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -d 192.168.0.128/25 -j ACCEPT

Would that be the same idea as what you are describing, but with something matching my dhcp subnets?

Also, your example didn't mention the iptables setting for eth0 (the Internet interface). Is that because the one I have is OK?

I'll hold off trying this until I get some feeback. THX
0
 
LVL 76

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 39264548
You could split the segment as you indicate.
Note your range is 2-126 and 130-254 with eth1 having IP 1 and wlan0 having 129

Your DHCP has to properly push the corect mask 255.255.255.128 and gateway 1 or 129 (not 128 that you are pushing now. 128 is the network address.)

The other difficulty is to make sure that the correct scope applies to the assignment when the requests come in.
0
 
LVL 1

Author Comment

by:jmarkfoley
ID: 39266051
I modified the iptables commands as shown in my posting ID: 39264367. That didn't work at all. eth0 was unable to get a DHCP IP from the cable modem and I had no connection to the Internet. I reverted back to:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT

but I did change the ranges per your advice:

/etc/dhcpd.conf (partial):
subnet 192.168.0.0 netmask 255.255.255.128 {
    option routers 192.168.0.1;
    range 192.168.0.100 192.168.0.126;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

subnet 192.168.0.128 netmask 255.255.255.128 {
    option routers 192.168.0.129;
    range 192.168.0.130 192.168.0.254;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

/etc/rc.d/rc.inet1.conf:
# Config information for eth0:
# This is the Internet interface and is the built-in NIC
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""

# Config information for eth1:
# This is the LAN interface and is the add-in card
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.128"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Config information for wlan0:
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.129"
NETMASK[2]="255.255.255.128"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""

Note the change of the wlan0 IP to 192.168.0.129 versus 128.

That must have been the problem. As soon as I restarted everything with the new IP for wlan0 I was able to have wireless devices connect!!!!!!!!!!

Thanks - I'll leave this open over the weekend (leaving town) in case you can see what I did wrong on the iptables commands.
0
 
LVL 76

Expert Comment

by:arnold
ID: 39266263
Since it works, that is great.
0
 
LVL 1

Accepted Solution

by:
jmarkfoley earned 0 total points
ID: 39295502
I've finally got this working well so I'm going to post my results. Perhaps this can server as a HOWTO for future use. These instructions are for Slackware, but can easily be adapted to other distros. Thanks for all the help!

Here are the complete setup instruction in 4 (easy) steps for how I got my Linux wireless router working.  There is lots of information about this on the Internet.  Unfortunately, no two sites have the same procedure and each distribution seems to have its own idosyncracies.  Also, while there were lots of examples using a wireless card as the *only* NIC, I didn't find much useful information for an actual ROUTER with WAN, wired-LAN and wireless-LAN interfaces, just like in a real router.

I use Slackware which differs from other distros (GUI tools aside) mainly in that init scripts are kept in /etc/rc.d, but these are easily moved to init directories for other distro.

Adding to the confusion is that Slackware (and undoubtedly other distros) have all kinds of apparently redundant and/or superfluous config files for wireless setup such as /etc/rc.d/rc.wireless, rc.wireless.conf and even settings in /etc/rc.d/rc.inet1.conf (the main network/NIC config file) that don't matter for setting up a wireless router (Access Point).

I staged my router on an ancient computer (14 year old Compaq 686P2) that I upgraded from 128M of memory to 512M (the maximum supported. I had to hunt through a trash box to find the 256M 133Mhz DIMMs). This computer had one built-in Ethernet connector. I added in another NIC and a wireless card.

eth0 (on-motherboard) will be the WAN connection connected to the ISP cable modem.  It will get its IP address via DHCP from the cable modem.  eth1 (add-in) will be the LAN connection.

One time-waster was trying to find a wireless card.  I tried several from a bag-o-wireless-cards I had.  Some weren't recognized at all, some worked fine, but did not support Master mode (Access Point).  In the end, I bought a PCI card from ThinkPenguin for $52 that they guaranteed would work with Linux (and it did): https://www.thinkpenguin.com/gnu-linux/penguin-wireless-n-pci-card-gnu-linux-v5. According their link, this card requires Slackware version 13.1 or later, so I upgraded my box to Slackware 13.37.

CONFIGURING Linux:

1. Configure /etc/rc.d/rc.inet1.conf as follows:

# Config information for eth0:
# This is the Internet interface
IPADDR[0]=""
NETMASK[0]=""
USE_DHCP[0]="yes"
DHCP_HOSTNAME[0]=""

# Config information for eth1:
# This is the wired LAN interface
IPADDR[1]="192.168.0.1"
NETMASK[1]="255.255.255.128"
USE_DHCP[1]=""
DHCP_HOSTNAME[1]=""

# Config information for wlan0:
# This is the wireless LAN interface
IFNAME[2]="wlan0"
IPADDR[2]="192.168.0.129"
NETMASK[2]="255.255.255.128"
USE_DHCP[2]=""
DHCP_HOSTNAME[2]=""

# Default gateway IP address:
GATEWAY=""
:

wlan0 is the wireless LAN connection.  Because this is an Access Point, all other wireless configuration are done elsewhere, so skip (comment out) the other wireless settings in this file such as WLAN_ESSID, WLAN_MODE, WLAN_CHANNEL, LAN_KEY, etc.  As shown above, eth1 and wlan0 split the LAN address range.


2. Enable forwarding by updating/creating /etc/sysctl.conf with the line:

net.ipv4.ip_forward = 1


3.  Set routing.  This is in the file /etc/rc.d/rc.firewall which is automatically run by /etc/rc.d/rc.inet2 at boot time (if rc.firewall is executable!).  To be honest, I'm not enough of an iptables guru to know exactly what this does.  I just monkey-typed the first two lines from some web example and extrapolated the 3rd line by deductive reasoning:

iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables --append FORWARD --in-interface eth1 -j ACCEPT
iptables --append FORWARD --in-interface wlan0 -j ACCEPT


3. Configure hostapd (Host Access Point daemon)

Informative sites:
http://wireless.kernel.org/en/users/Documentation/hostapd
http://w1.fi/hostapd/

I needed to download and install the latest hostapd which was version 2.0 as of this writing:

$ wget http://w1.fi/releases/hostapd-2.0.tar.gz
$ tar -xvzf hostapd-2.0.tar.gz
$ cd hostapd2.0/hostapd
$ cp defconfig .config       # create default .config file
$ make
$ make install

There is no `make config` step.  You have to create your own .config file to make hostapd.  I just used the default example (defconfig) as-is, no changes. I'll play with changes later.  defconfig has lots of options both set and commented.  I assume defconfig is exhaustive.  There are apparently no man pages in the install; another thing to deal with later.  You can get basic help with `hostapd -h`.

Next, create /etc/hostapd/hostapd.conf.  I cobbled one from various examples on the Internet.  I need to find a help doc or man page to know what can really be set in this file:

interface=wlan0
driver=nl80211
ssid=ALLUNEEDIZLUV
hw_mode=g
channel=11
wpa=1
wpa_passphrase=mysecretphrase
wpa_key_mgmt=WPA-PSK


The following command line will start hostapd. I put this command in /etc/rc.local to start it at boot time:

/usr/local/bin/hostapd -B /etc/hostapd/hostapd.conf  # -B start as daemon


4. Configure DHCPD.  I will run DHCPD for both eth1 (wired LAN) and wlan0 (wireless LAN).  This was modified from an as-shipped example already in /etc:

/etc/dhcpd.conf:

# dhcpd.conf
#
# Configuration file for ISC dhcpd (see 'man dhcpd.conf')
#

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

option domain-name "alluneedizluv.local";

# I don't have DNS running, just /etc/resolv.conf ...
ddns-update-style none;
default-lease-time 86400;
# local-port 67;   # default

# This subnet is for eth1, the wired LAN connection
subnet 192.168.0.0 netmask 255.255.255.128 {
    option routers 192.168.0.1;
    range 192.168.0.100 192.168.0.126;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

# This subnet is for wlan0, the wireless LAN connetion
subnet 192.168.0.128 netmask 255.255.255.128 {
    option routers 192.168.0.129;
    range 192.168.0.130 192.168.0.254;
    option domain-name-servers 209.18.47.61, 209.18.47.62;
}

# This is supposed to be a DHCP reserved address, but will only work
# if host rover is connecting via wire.
host rover {
  hardware ethernet 44:1E:A1:C8:E8:9B;
  fixed-address 192.168.0.102;
}


Start DHCP with the following command, put in /etc/rc.d/rc.local to start at boot time:

/usr/sbin/dhcpd eth1 wlan0


Sample /etc/rc.d/rc.local:

#!/bin/sh
#
# /etc/rc.d/rc.local:  Local system initialization script.
#
# Put any local startup commands in here.  Also, if you have
# anything that needs to be run at shutdown time you can
# make an /etc/rc.d/rc.local_shutdown script and put those
# commands in there.

echo Starting DHCP Server on eth1 wlan0
/usr/sbin/dhcpd eth1 wlan0

echo Starting Wireless Access Point
/usr/local/bin/hostapd -B /etc/hostapd/hostapd.conf


Troubleshooting

My main troubleshooting issue was having the eth0/1 devices logically switch on successive reboots for whatever reason.  I think the eth1 add-in card is flakey and needs to be replaced.  Obviously, since eth0 goes to the WAN and eth1 goes to the LAN, they are not logically interchangable! I'll have to do some research on /etc/udev/rules.d to figure out how to make them stick.

There are some good diagnostic tools, some of which can also set parameters in the cards:

ifconfig [ <interface> ] - will show information about the interfaces
successfully configured via /etc/rc.d/rc.inet1.conf

Info on NIC cards
lspci -nn | grep 0200

Settings for NIC
ethtool eth0
ethtool -s eth1 speed 100 duplex full # set speed and full duplex

Restart NIC (Slackware)
/etc/rc.d/rc.inet1 <interface>_{ start | stop | restart }
e.g. /etc/rc.d/rc.inet1 eth0_restart

iwconfig [ <interface> ]    # lots of info and settings for wireless

CONCLUSION

Even though all the hardware except for the new ThinkPenguin wireless card is ancient, this router performs better than the D-Link I replaced. Plenty of range (no more dropping iPad connection when going to the kitchen), adjustable power (in case connection is dropped going to the basement). No troubles mapping remote network drives (which could read w/D-link, but not write) or using WINscp (which lost connection and needed re-login multiple times during a session). No lost connections using Viber. Best of all, if/when components fail I can simply replace or upgrade cheaply instead of throwing out the router and buying a new one. On the downside, there is no nifty web page interface for setting router parameters, but I'm working on that! Overall, I am pleased.
0
 
LVL 1

Author Closing Comment

by:jmarkfoley
ID: 39305117
I've posted the complete solution in my final post.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now