|
|
Wireless bridge build log
Purpose: An online log of building a wireless bridge system.
Author: author at blastzone dot net
|
Introduction:
Both myself and my neighbor need high-speed internet access, so why pay for 2 when you can pay for 1?
I needed a computer that would bridge my network onto hers and allow me to piggyback. After looking into
the Linksys WRT54G just a few months too late, I decided to build my own.
The Problem:
Wireless-to-ethernet (802.11 to 802.3) bridging is apparently a difficult thing to do. Wireless packets do
not contain the space necessary to hold the location address, and therefore the bridge does not know where
to send the responses. There are 2 ways around this: Use special hardware that can rewrite the wireless packets
on the fly, or use standard NAT (network address translation), which does work.
| Bridging | NAT |
| Pro |
Bridging is transparent
Less induced latency
Less maintenance
|
Easy to set up
Works on most hardware
Local side has own IP space
|
| Con |
Requires specialized hardware
|
Higher latency
More administration
|
I ended up going the NAT route. It's fairly easy to set up under FreeBSD, and I knew it would be a viable option
in a short period of time. I generally use the internet for email, VPN to work, and web, so latency isn't as much
of an issue. Informal testing has shown a minor increase in latency, and no affect in speed.
Hardware:
- Pentium 166MHz in an AT case I had lying around
- 32 Megs RAM
- 2 Western Digital HDDs, 850MB & 1.6GB
- Linksys WRT311T 802.11g card
- Linksys 10/100Mbit PCI card
Building The Hardware:
I like the Pentium chip, as it's got a
big passive heatsink. The noisy part of the system is the 2 Hard disks, but they're necessary right now as
the power is flaky, and the machine is not on a battery backup. I want a redundant disk setup that will keep
running if one disk crashes hard when the power goes out. I'll start looking at creating a bootable CD to run the
system in a bit, but this project was done under a timetable. Every day spent was money I'm giving to the man!
Getting FreeBSD system set up to run as a NATting firewall is easy, and there's lots of documentation on the web to
that end. I chose to use FreeBSD as it's an OS I'm very familiar with. FreeBSD
6 finally allows for WPA with wireless cards, making it the preferred choice. Building a custom kernel was a
requirement for this project, as the default kernel does not include the ATH driver for the Linksys wireless card. As
with any machine that will be facing the internet or any untrusted network, we also want to disable everything we're
not using. Also, a minimal installation with only the system sources was required due to the small hard disks.
Before we even get that far, we need to build the RAID.
Building The RAID:
I've decided to tack on a RAID 1 (mirroring) setup, in order to give me 2 identical drives that will keep the machine
going should the primay hard disk fail. Being that the disks are about 10 years old, the system is not on a battery
backup, and the power goes out monthly, failure is a 'when', not an 'if'. FreeBSD has incorporated the Genom disk
system, which *should* make mirroring fairly painless. Yeah. Right.
Ok. First strike against me are the different disk sizes. That makes mirroring more difficult, as we have to create
slices that are the same size. I feel that always expecting your disks to be different sizes is good practice, as
what are the odds you'll be able to get the exact same disk when one of your disk packs fail? Using non-similar
sizes makes it easier down the road. Hardcore RAID people will tell you to use drives from different manufacturers
in order to protect against a defect in the batch brining your data down with it. If you do that you'll never
get identical disk sizes! But I digress.
The first step is to get identically-size slices on each disk. We're not going to use all of either disk, so 800MB
slices will be fine. You'll do this step during the install of FreeBSD. IDE drives
generally show up as ad0 and ad2, so our slices will be: ad0s1 and ad2s1. You'll also want to add the FreeBSD
bootloader onto the disks, so they are identical. This will be done by default.
Now, we install FreeBSD, using the minimal install + kernel sources. This will give us a system to work with. Once
we're installed, we will create the Genom disk and mirror the data.
Use the notes found on http://people.freebsd.org/~rse/mirror,
to build a RAID array.
Building The NAT
Now that we have a RAID stack up and running, it's time to build our custom kernel and set up our bridge. First, we
need to add the ATH driver into the kernel and disable everything we're not using. Below are some of the requirements
I needed in my kernel.
Machine type: i386
Disable:
ufs_dirhash
mdroot
nfsclient
nfsserver
nfsroot
msdosfs
cd9660
ktrace
ahc_reg*
Add Options:
IPFILTER
IPFILTER_LOG
IPFILTER_DEFAULT_BLOCK
Networking devices:
miibus
vx
ath
ath_hal
ath_rate_sample
wlan
wlan_wep
wlan_ccmp
wlan_tkip
View the FreeBSD handbook for more information on building your own kernel. If all goes well, when you restart your
machine, you should see the ath driver load in the startup log. (try dmesg if you missed it). We need to set
the machine up to use WPA to access the wireless network, AND use DHCP to get an IP address. To do that, we must
configure our card in the /etc/rc.conf file.
rc.conf
ifconfig_ath0="WPA DHCP"
We also need to tell the card what network to connect to (SSID) and the WPA key. That is found in /etc/wpa_supplicant.conf
wpa_supplicant.conf
network={
ssid="next_door"
psk="free_internet_here"
}
Restart the network subsystem and you should see your wireless card associate with the network and get an IP address.
But after all that work, I discovered that the network I was connecting to was protected with 128bit WEP! Not to worry,
as FreeBSD supports WEP too. To connect to a WEP network and get an IP address using DHCP, use the following
rc.conf
ifconfig_ath0="ssid default wepmode on wepkey 1: weptxkey 1"
You don't need the wpa_supplicant.conf file at all.
We're connected to the wireless network, now we need to give our internal NIC an IP address and set up the NAT.
You'll also want to disable any unnecessary services. I've left my configuration in for reference.
rc.conf
ifconfig_vx0="inet 192.168.40.1 netmask 255.255.255.0"
inetd_enable="NO"
sendmail_enable="NO"
ipfilter_enable="YES"
ipfilter_flags=""
ipnat_enable="YES"
ipmon_enable="YES"
ipmon_flags="-Dsn"
sshd_enable="YES"
We also need to set the rules for the IPFilter firewall. I've left this fairly open, as there's another firewall
between it and my network, and it's behind my neighbor's router. Here I'm allowing all traffic out from my network
to the internet, and not allowing any traffic in from the internet. This has the benefit of not allowing any connections
to any port on the machine from the outside world. Both the ipf.rules and ipnat.rules files are in /etc.
ipf.rules
pass in all
pass out all
ipnat.rules
map ath0 192.168.40.0/24 -> 0.0.0.0/32 portmap tcp/udp 40000:60000
map ath0 192.168.40.0/24 -> 0.0.0.0/32
Finally, turn on the forwarding by adding this line to /etc/sysctl.conf
net.inet.ip.forwarding=1
Reboot the machine, and you've got a Wireless to ethernet NAT bridge!
Rebuilding The RAID
Sure enough, within a month after building the system, one of the disks crashed. Now I'm running a degraded array.
#gmirror status
Name Status Components
mirror/gm0s1 DEGRADED ad2s1
It was ad0 that failed, which is on IDE0. And that's the only drive the system can boot from. Luckily, the MBR was OK, and
enough information stayed stable so that the system could boot into the RAID mirror and keep running. I found a used 4.3GB
drive and prepared to toss that in. But without the FreeBSD boot information on it, the system wouldn't run. Solution:
Clone the remaining good disk.
Knoppix saves the day again. Booting into a Linux LiveCD allows me to run dd and clone my good
drive to the new master.
#dd if=/dev/hdc of=/dev/hda
That took a while on this machine, about 10 minutes. I rebooted, removed the Knoppix disc, and went right into FreeBSD.
Now, the mirror is running degraded, using only ad0s1. We need to re-add ad2s1. I'm also seeing a GMIRROR failure in dmesg,
showing error 17. We will tell gmirror to 'forget' about the old disk, and just re-add it as new.
#gmirror forget gm0s1
#gmirror insert gm0s1 /dev/ad2s1
now, a look at the status shows the RAID mirror rebuilding:
#gmirror status
Name Status Components
mirror/gm0s1 DEGRADED ad0s1
ad2s1 (2%)
Once completed, we are back in business with a mirrored OS.