Enjoy Slackware 15.0!

Welcome to the Slackware Documentation Project

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
howtos:network_services:running_an_access_point_from_a_slackware_box [2016/11/18 15:17 (UTC)]
louigi600 [4.7.2 Slackware Wireless Clients]
howtos:network_services:running_an_access_point_from_a_slackware_box [2023/01/20 09:57 (UTC)] (current)
tim [4.4 Firewalling] fix typos
Line 1: Line 1:
 ====== Setting up a WiFi Access Point on your Slackware Box ====== ====== Setting up a WiFi Access Point on your Slackware Box ======
 You should read this, regardless of whether you are a Slackware enthusiast or not, because you will find most of it applicable to other distributions too.  You should read this, regardless of whether you are a Slackware enthusiast or not, because you will find most of it applicable to other distributions too. 
 +I have recently reused most of this on a debian/DietPI based NanoPi R1S H3 just because it was fester for me to get something functional like that rather than tinkering with uboot and kernel to get slackwareARM running on it. 
 ====== 1 Preamble ====== ====== 1 Preamble ======
 There are endless reasons for wanting to run an AP from a standard Linux environment as opposed to the crippled ones that come in most AP appliances, we're not here to discuss them all but if you're reading this you've found your own motivation for doing it. There are endless reasons for wanting to run an AP from a standard Linux environment as opposed to the crippled ones that come in most AP appliances, we're not here to discuss them all but if you're reading this you've found your own motivation for doing it.
Line 15: Line 16:
 Look at the section  Look at the section 
      
-   software interface modes:+   Supported interface modes:
                  * AP/VLAN                  * AP/VLAN
                  * monitor                  * monitor
-AP needs to be among the software interface modes.+AP needs to be among the Supported interface modes.
  
 Ok there is still some Wireless NICs that support hardware master mode but that's 3 against all the rest I'm not going to bother going into any detail with those 3 exceptions, google is your friend if you want to insist in the hardware master mode way.  Ok there is still some Wireless NICs that support hardware master mode but that's 3 against all the rest I'm not going to bother going into any detail with those 3 exceptions, google is your friend if you want to insist in the hardware master mode way. 
 +
 +
 +Should you want to have Virtual Access Poits (more than one AP on a single physical wireless NIC) you will want to look at the section "valid interface combinations".
 +Here's the output from two cards :
 +
 +  [root@nuc8i5 ~]# for Phy in $(iw dev |grep ^phy); do   echo "$Phy";   iw $Phy info | grep  "valid interface combinations" -A 2; done
 +  phy#1
 +        valid interface combinations:
 +                 * #{ AP, mesh point } <= 8,
 +                   total <= 8, #channels <= 1
 +  phy#0
 +        valid interface combinations:
 +                 * #{ managed } <= 1, #{ AP, P2P-client, P2P-GO } <= 1, #{ P2P-device } <= 1,
 +                   total <= 3, #channels <= 2
 +  [root@nuc8i5 ~]#
 +  
 +The first one would allow more than on vAP (up to a maximum of 8) but they all got to be on the same channel.
 +The second one would allow for one AP and one managed client to be used at the same time even of different channels but the total number of live APs need to be no more than one.
  
 ====== 3 Software Requirements ====== ====== 3 Software Requirements ======
Line 73: Line 92:
   * rp-pppoe (*)   * rp-pppoe (*)
  
-(*) only if you want your AP to actually manage your internet connection. +(*) only if you want your AP to actually manage your internet connection trough some sort of point PPP modem
  
  
 ===== 3.3 Other Software ===== ===== 3.3 Other Software =====
   * hostapd   * hostapd
 +  * miniupnpd (only required if you have appliances that require upnp)
  
-Hostapd is not shipped with Slackware packages and is the only extra software you need for a basic setup.+Neither of these are included in the slackare installation packages, only hostap is mandatory to gae basic AP functionality
 To obtain hostapd you could either download a binary version from some reliable source or compile it from sources. You might be slightly better off compiling from sources, so that you get e fairly recent version, but it's up to you. Just don't try using really old hostapd versions like 0.6.7 on 2.6+ kernels: hostapd has followed the kernel wireless stack drivers and transitioned from only supporting FullMAC devices to supporting SoftMAC on almost all devices trough nl80211. Nowadays the combination of both hardware and driver supporting FullMAC is hard to come by (Prism2/2.5/3, and Atheros ar521x) all the others need to go the SoftMAC way so I suggest ignoring the 2 that could still go the FullMAC way and just go for SoftMAC for all, allowing you to use almost any WiFi card for creating an AP. If you like you can read more about [[http://wireless.kernel.org/en/developers/Documentation/mac80211 |  mac80211 here]]. To obtain hostapd you could either download a binary version from some reliable source or compile it from sources. You might be slightly better off compiling from sources, so that you get e fairly recent version, but it's up to you. Just don't try using really old hostapd versions like 0.6.7 on 2.6+ kernels: hostapd has followed the kernel wireless stack drivers and transitioned from only supporting FullMAC devices to supporting SoftMAC on almost all devices trough nl80211. Nowadays the combination of both hardware and driver supporting FullMAC is hard to come by (Prism2/2.5/3, and Atheros ar521x) all the others need to go the SoftMAC way so I suggest ignoring the 2 that could still go the FullMAC way and just go for SoftMAC for all, allowing you to use almost any WiFi card for creating an AP. If you like you can read more about [[http://wireless.kernel.org/en/developers/Documentation/mac80211 |  mac80211 here]].
  
-Hostapd sources can be downloaded from [[http://w1.fi/hostapd/ | here]], you should be looking at recent stable version (2.last time this article was edited) and avoid the development/old branches.+Hostapd sources can be downloaded from [[http://w1.fi/hostapd/ | here]], you should be looking at the most recent stable version (2.last time this article was edited) and avoid the development/old branches.
 Compiling hostapd is really simple: Compiling hostapd is really simple:
   - extract the sources   - extract the sources
Line 89: Line 109:
   - edit the defconfig file and enable any optional features you need (default is fine for a simple setup)   - edit the defconfig file and enable any optional features you need (default is fine for a simple setup)
   - copy the defconfig file to .config   - copy the defconfig file to .config
 +  - make a softlink for netlink includes (cd /usr/include; ln -s libnl3/netlink .)
   - make   - make
   - make install (or optionally just put in /usr/local/bin just the hostapd binary)   - make install (or optionally just put in /usr/local/bin just the hostapd binary)
Line 97: Line 118:
 If your AP also acts a router it's probably going to be exposed to malware and even if you do your best to keep malicious users out of your work they might still find a way in. If your router is exposed to internet you might want to consider some sort of file integrity tool that would alert you if files have been tampered with. File integrity checking could be a whole article so I'm not going to go into any detail beyond advising to read more about it on security oriented communities like [[http://www.securityfocus.com|security focus]] or maybe just do a google search on "file integrity tool".   If your AP also acts a router it's probably going to be exposed to malware and even if you do your best to keep malicious users out of your work they might still find a way in. If your router is exposed to internet you might want to consider some sort of file integrity tool that would alert you if files have been tampered with. File integrity checking could be a whole article so I'm not going to go into any detail beyond advising to read more about it on security oriented communities like [[http://www.securityfocus.com|security focus]] or maybe just do a google search on "file integrity tool".  
 ====== 4 Configuring ====== ====== 4 Configuring ======
-Now let's have a look at how to configure everything to that it will work right.+Now let's have a look at how to configure everything so that it will work right.
  
 ===== 4.1 Hostapd ===== ===== 4.1 Hostapd =====
Line 116: Line 137:
   * hw_mode=g  #to keep it simple don't attempt n mode right away even if your hardware supports it   * hw_mode=g  #to keep it simple don't attempt n mode right away even if your hardware supports it
   * channel=6  #or whatever other channel you prefer   * channel=6  #or whatever other channel you prefer
 +  * ieee80211d=1
 +  * country_code=IT
 +  * ieee80211n=1
 +  * auth_algs=1
   * macaddr_acl=1 # see notes below    * macaddr_acl=1 # see notes below 
   * # 0 = accept unless in deny list (iptables mac filtering and optionally have a ban list)   * # 0 = accept unless in deny list (iptables mac filtering and optionally have a ban list)
Line 123: Line 148:
   * wpa=2   * wpa=2
   * wpa_psk_file=/etc/hostapd/wlan0.wpa_psk   * wpa_psk_file=/etc/hostapd/wlan0.wpa_psk
-  * wpa_key_mgmt=WPA-PSK WPA-PSK-SHA256 +  * wpa_key_mgmt=WPA-PSK 
-  * wpa_pairwise=TKIP +
   * rsn_pairwise=CCMP   * rsn_pairwise=CCMP
   * wpa_group_rekey=600   * wpa_group_rekey=600
Line 175: Line 199:
 ===== 4.3 DNS and DHCP Servers ===== ===== 4.3 DNS and DHCP Servers =====
 Now it's time to start dnsmasq. You can actually leave it running from boot if you like or even run specific servers at your choice. I now run separate dnsmasq instances for each AP so I've abandoned Slackware's rc.dnsmasq and start it from my custom network scripts which requires separate config files for each interface (like /etc/dnsmasq/br0.conf and /etc/dnsmasw/wlan1.conf). Now it's time to start dnsmasq. You can actually leave it running from boot if you like or even run specific servers at your choice. I now run separate dnsmasq instances for each AP so I've abandoned Slackware's rc.dnsmasq and start it from my custom network scripts which requires separate config files for each interface (like /etc/dnsmasq/br0.conf and /etc/dnsmasw/wlan1.conf).
-Configuring it is something you should look into to suit best your networking needs ... let's just look at some of the most common tings.+Configuring it is something you should look into to suit best your networking needs ... let's just look at some of the most common things.
 Supposing that you want to assign ip addresses belonging to 192.168.0.0/24 and this are the options you will need: Supposing that you want to assign ip addresses belonging to 192.168.0.0/24 and this are the options you will need:
  
   * interface=br0   * interface=br0
 +  * bogus-priv
 +  * local=/local/
 +  * domain=local
   * except-interface=lo   * except-interface=lo
-  * bind-interfaces 
   * listen-address=192.168.0.1   * listen-address=192.168.0.1
   * dhcp-range=192.168.0.2,192.168.0.254,24h   * dhcp-range=192.168.0.2,192.168.0.254,24h
   * dhcp-leasefile=/run/dnsmasq/dnsmasq.leases   * dhcp-leasefile=/run/dnsmasq/dnsmasq.leases
   * conf-dir=/etc/dnsmasq.d   * conf-dir=/etc/dnsmasq.d
 +The options local and domain allow dnsmasq to tell clients they belong to a domain and in return serve as authoritative for that domain. Some distributions that use NetworkManager will not get local resolution to work unless you define these 2 options.
  
 The options except-interface bind-interfaces and listen-address are particularly useful if you want to run more then one instance of dnsmasq. The options except-interface bind-interfaces and listen-address are particularly useful if you want to run more then one instance of dnsmasq.
Line 194: Line 221:
 Now is a good time to configure your firwall protection. Now is a good time to configure your firwall protection.
 Supposing that the box will be routing packages thought it I'll show some rules that you might find helpfull. Supposing that the box will be routing packages thought it I'll show some rules that you might find helpfull.
 +
 +Newer kernels nswitched to nftables but you can still use iptables to manipulate the kernel netfilter tables.
 +Actually if you want to move to using nftables but you are not familiar with the syntax you can save the kernel netfilter tables in netfilter format like this:
 +
 +  nft list ruleset > nftables.conf
 +
 +Personally I'm still struggling with nft syntax so I will keep the rest of this chapter in iptabls syntax: you can convert, like I showed above, after you are done.
 + 
 This is the output of iptables-save, you can edit it to make the changes you require and then pipe your edited file to iptables-restore. This is the output of iptables-save, you can edit it to make the changes you require and then pipe your edited file to iptables-restore.
 The iptables-save/iptables-restore is a handy way of keeping configuration for easy firewall activation and editing. The iptables-save/iptables-restore is a handy way of keeping configuration for easy firewall activation and editing.
Line 227: Line 262:
   COMMIT   COMMIT
  
-NOTE *: Clamping MSS to PMTU can get internet browsing from your LAN working but can brake VPN packets. The proposed workaround has been made necessary by the increasing tendency of failing to find PMTU. It is not always necessary for you to activate the workaround but be warned that it can equally inadvertently stop working leaving you with an intermittent  problem that is difficult to debug. It can be intermittent because the path your packets take to arrive to any destination on internet is not always the same dew to the necessity of fault tolerance. This note could become a whole article on it's own so [[https://blog.cloudflare.com/path-mtu-discovery-in-practice/|here's]] an intresting read on the issue. +NOTE *: Clamping MSS to PMTU can get internet browsing from your LAN working but can break VPN packets. The proposed workaround has been made necessary by the increasing tendency of failing to find PMTU. It is not always necessary for you to activate the workaround but be warned that it can equally inadvertently stop working leaving you with an intermittent  problem that is difficult to debug. It can be intermittent because the path your packets take to arrive to any destination on internet is not always the same due to the necessity of fault tolerance. This note could become a whole article on it's own so [[https://blog.cloudflare.com/path-mtu-discovery-in-practice/|here's]] an intresting read on the issue. 
  
 I generally put the content above in /ect/firewall.cf and add "/usr/sbin/iptables-restore < /etc/firewall.cf" to rc.local. I generally put the content above in /ect/firewall.cf and add "/usr/sbin/iptables-restore < /etc/firewall.cf" to rc.local.
Line 234: Line 269:
   /etc/rc.d/rc.sshd restart   /etc/rc.d/rc.sshd restart
 If you're going to share internet connection you might want to stop ssh access from internet by adding a firewall rule to regulate it or making sshd bind only to the address assigned to br0. The config shown above will not allow incoming ssh traffic from the internet link (by the connection tracking rule) but you may want to back that up with further safety. If you're going to share internet connection you might want to stop ssh access from internet by adding a firewall rule to regulate it or making sshd bind only to the address assigned to br0. The config shown above will not allow incoming ssh traffic from the internet link (by the connection tracking rule) but you may want to back that up with further safety.
-Longer iptabls chains generally have bad impact on firewall performance so you might want to add something like this to /etc/ssh/sshd_config:+Longer iptables chains generally have bad impact on firewall performance so you might want to add something like this to /etc/ssh/sshd_config:
   ListenAddress 192.168.0.1   ListenAddress 192.168.0.1
  
 At this point you should be able to associate clients to the AP. At this point you should be able to associate clients to the AP.
 With the above iptables rules client with MAC 0a:0b:0c:0d:0e:0f can associate and access the AP itself but not route trough the AP (with the exception of dns querys that get forwarded by dnsmasq), With the above iptables rules client with MAC 0a:0b:0c:0d:0e:0f can associate and access the AP itself but not route trough the AP (with the exception of dns querys that get forwarded by dnsmasq),
-client with MAC 00:01:02:03:04:05 can route thought the AP but not access the AP itself. The example was just to show clearly the difference of having packets go into the box and routing packets trough the box as this behavior was radically different in the ip_chains.  +client with MAC 00:01:02:03:04:05 can route thought the AP but not access the AP itself. The example was just to show clearly the difference of having packets go into the box and routing packets through the box as this behavior was radically different in the ip_chains.  
-An other way to implement even more complex MAC ACL to decide who manages AP, who can only route trough and who can do both can be done by using ebtables (nee to add that to the software list not present in Slackware) and fiddle with the broute chain. In all cases you might find interesting the [[http://en.wikipedia.org/wiki/Iptables#mediaviewer/File:Netfilter-packet-flow.svg | netfilter flow diagram]].+Another way to implement even more complex MAC ACL to decide who manages AP, who can only route through and who can do both can be done by using ebtables (need to add that to the software list not present in Slackware) and fiddle with the broute chain. In all cases you might find interesting the [[http://en.wikipedia.org/wiki/Iptables#mediaviewer/File:Netfilter-packet-flow.svg | netfilter flow diagram]].
  
  
Line 273: Line 308:
 If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning net.ipv4.tcp_sack off. If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning net.ipv4.tcp_sack off.
  
-If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall configuration. You may fully understand the consequences of streaming on your ISP quota but maybe the rest of the family may not: giving them a quota might save you a fit when you need to do an urgent job that requires internet connection. There a re various ways you could go about putting quotas on specific clients on your LAN just keep in mind a few things:+If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall configuration. You may fully understand the consequences of streaming on your ISP quota but maybe the rest of the family may not: giving them a quota might save you a fit when you need to do an urgent job that requires internet connection. There are various ways you could go about putting quotas on specific clients on your LAN just keep in mind a few things:
   * rules with quotas stop matching once quota is exceeded    * rules with quotas stop matching once quota is exceeded 
   * flushing your tables will reset all quota counters   * flushing your tables will reset all quota counters
Line 560: Line 595:
  
 Please note the above script only works on 2.6 kernels or above. This probably also applies to socklist. Please note the above script only works on 2.6 kernels or above. This probably also applies to socklist.
 +
 +===== 5.5 Virtual AP =====
 +If your wireless NIC supports it you might like to run multiple virtual APs. As mentioned in Chapter 2 to be able to do this 
 +you will need the "valid interface combinations" sections to have #AP to be greater than one and if you optionally want them to live on separate channels you will need #channels to be greater than 1.
 +If this is the case then you can add virtual AP like this
 +
 +  iw phy0 interface add vap0 type __ap
 +or
 +  iw wlan0 interface add vap0 type __ap
 +  
 +this will create a new virtual AP, arbitrarily called vap0 on which you will need to activate a separate instance of hostapd as explained in Chapter 4.
 +Incidentally the type can be any of of these (as long as your wireless NIC supports them):
 +
 +  * monitor
 +  * managed 
 +  * wds
 +  * mesh 
 +  * ibss 
 +  * __ap
 +
 +
 +if you subsequentlt want to remove the virtual AP toy can terminate the hostapd running on it, optionally put the nick in down state and then tell iw you want to delete the virtual device:
 +
 +  iw vap0 del
 +  
  
 ====== 6 Remote Administration ====== ====== 6 Remote Administration ======
Line 936: Line 996:
   * save the random-seed to unused sector on flash when shutting down (rc.0 ... well it's a link to rc.6) and load it back to /dev/urandom from rc.S when system comes up again   * save the random-seed to unused sector on flash when shutting down (rc.0 ... well it's a link to rc.6) and load it back to /dev/urandom from rc.S when system comes up again
  
-You could optionally have fstab specify that root should be mounted ro like this:+You could optionally have fstab specify that root should be mounted ro like this: (example below is relative to when I was using ubifs on the DocStar)
  
-/dev/ubi0_0      /               ubifs  ro                       1+  /dev/ubi0_0      /               ubifs  ro                       1
  
-You will also haveto make some links in various places so that they end up writing in /run that has been mounted tmpfs. I do that manually just once with / mounted rw and then remount it ro.+You will also have to make some links in various places so that they end up writing in /run that has been mounted tmpfs. I do that manually just once with / mounted rw and then remount it ro.
  
 If you're interested in actually making such changes to the init scripts I've shared how I go about it on [[http://www.linuxquestions.org/questions/slackware-arm-108/anyone-else-interested-in-running-some-of-their-arm-devices-with-root-mounted-read-only-4175590642/ | Linux Questions]]. If you're interested in actually making such changes to the init scripts I've shared how I go about it on [[http://www.linuxquestions.org/questions/slackware-arm-108/anyone-else-interested-in-running-some-of-their-arm-devices-with-root-mounted-read-only-4175590642/ | Linux Questions]].
Line 971: Line 1031:
 I'm not going to miss my old low end AP, are you ? I'm not going to miss my old low end AP, are you ?
 I replaced it with home-brew stuff from which this article is derived. I replaced it with home-brew stuff from which this article is derived.
-Over the years I've done several remakes adding some new features. The last upgrade was 8 programmable buttons with indicator leds to carry out arbitrary functions.+Over the years I've done several remakes adding some new features. The last upgrade was using a Friendlyelec NanoPi R1S with integrated wifi and 2 ethernet nics requiring no extra usb dongles. 
 + 
 +Gen 5 (Friendlyelec NanoPI R1S) 
 + 
 +{{howtos:network_services:g5_nanopi.jpeg| NanoPi R1S}} 
 + 
 +The original case has 2 issues: cappy internal antenna and tendency to overheat ... so I 3d-printed my own [[https://www.thingiverse.com/thing:5408048|case]]. 
 + 
 +{{howtos:network_services:nanopi_r1s_diy_case.jpg| DIY Case}} 
 + 
 +Gen 4 (RPi2 with display) 
 + 
 +{{howtos:network_services:g4_rpi.jpeg| RPi2 with shoft buttons}} 
 + 
 + 
 +Gen 3 (RPi2 with buttons and leds
 + 
 +{{howtos:network_services:g3_rpi.jpg| RPi2 with hardware buttons}} 
 + 
 +Gen 2 (RPi2 in aluminum Sandwich) 
 + 
 +{{howtos:network_services:g2_rpi.jpg| RPi2}} 
 + 
 +Gen 1 (Seagate DocStar in aluminum Sandwich)
  
-{{http://i246.photobucket.com/albums/gg113/louigi600/ARM/piwrap_zpshjjyflm8.jpg}} +{{howtos:network_services:g1_seagate_docstar.jpg| Seagate DocStart}}
-{{http://i246.photobucket.com/albums/gg113/louigi600/ARM/RPi2_2_zpsytug1dvq.jpg}} +
-{{http://i246.photobucket.com/albums/gg113/louigi600/ARM/Seagate_wrapStar_zpsf6047f16.jpg}}+
  
  

In Other Languages
QR Code
QR Code howtos:network_services:running_an_access_point_from_a_slackware_box (generated for current page)