[2024-feb-29] Sad news: Eric Layton aka Nocturnal Slacker aka vtel57 passed away on Feb 26th, shortly after hospitalization. He was one of our Wiki's most prominent admins. He will be missed.
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
howtos:network_services:running_an_access_point_from_a_slackware_box [2022/11/13 03:20 (UTC)] – [2 Hardware Requirements] louigi600 | howtos:network_services:running_an_access_point_from_a_slackware_box [2023/01/20 09:57 (UTC)] (current) – [4.4 Firewalling] fix typos tim | ||
---|---|---|---|
Line 199: | Line 199: | ||
===== 4.3 DNS and DHCP Servers ===== | ===== 4.3 DNS and DHCP Servers ===== | ||
Now it's time to start dnsmasq. You can actually leave it running from boot if you like or even run specific servers at your choice. I now run separate dnsmasq instances for each AP so I've abandoned Slackware' | Now it's time to start dnsmasq. You can actually leave it running from boot if you like or even run specific servers at your choice. I now run separate dnsmasq instances for each AP so I've abandoned Slackware' | ||
- | Configuring it is something you should look into to suit best your networking needs ... let's just look at some of the most common | + | Configuring it is something you should look into to suit best your networking needs ... let's just look at some of the most common |
Supposing that you want to assign ip addresses belonging to 192.168.0.0/ | Supposing that you want to assign ip addresses belonging to 192.168.0.0/ | ||
Line 211: | Line 211: | ||
* dhcp-leasefile=/ | * dhcp-leasefile=/ | ||
* conf-dir=/ | * conf-dir=/ | ||
- | The options local and domain allow dnsmasq to tell clients they belong to a domain and in return serve as authoritative for that domain. Some distributions that use NetworkManager will not get local resolution to work unless | + | The options local and domain allow dnsmasq to tell clients they belong to a domain and in return serve as authoritative for that domain. Some distributions that use NetworkManager will not get local resolution to work unless |
The options except-interface bind-interfaces and listen-address are particularly useful if you want to run more then one instance of dnsmasq. | The options except-interface bind-interfaces and listen-address are particularly useful if you want to run more then one instance of dnsmasq. | ||
Line 262: | Line 262: | ||
COMMIT | COMMIT | ||
- | NOTE *: Clamping MSS to PMTU can get internet browsing from your LAN working but can brake VPN packets. The proposed workaround has been made necessary by the increasing tendency of failing to find PMTU. It is not always necessary for you to activate the workaround but be warned that it can equally inadvertently stop working leaving you with an intermittent | + | NOTE *: Clamping MSS to PMTU can get internet browsing from your LAN working but can break VPN packets. The proposed workaround has been made necessary by the increasing tendency of failing to find PMTU. It is not always necessary for you to activate the workaround but be warned that it can equally inadvertently stop working leaving you with an intermittent |
I generally put the content above in / | I generally put the content above in / | ||
Line 269: | Line 269: | ||
/ | / | ||
If you're going to share internet connection you might want to stop ssh access from internet by adding a firewall rule to regulate it or making sshd bind only to the address assigned to br0. The config shown above will not allow incoming ssh traffic from the internet link (by the connection tracking rule) but you may want to back that up with further safety. | If you're going to share internet connection you might want to stop ssh access from internet by adding a firewall rule to regulate it or making sshd bind only to the address assigned to br0. The config shown above will not allow incoming ssh traffic from the internet link (by the connection tracking rule) but you may want to back that up with further safety. | ||
- | Longer | + | Longer |
ListenAddress 192.168.0.1 | ListenAddress 192.168.0.1 | ||
At this point you should be able to associate clients to the AP. | At this point you should be able to associate clients to the AP. | ||
With the above iptables rules client with MAC 0a: | With the above iptables rules client with MAC 0a: | ||
- | client with MAC 00: | + | client with MAC 00: |
- | An other way to implement even more complex MAC ACL to decide who manages AP, who can only route trough | + | Another |
Line 308: | Line 308: | ||
If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning net.ipv4.tcp_sack off. | If you start going crazy over transferring large files over fast networks for a problem that seems like mtu related but is not you might want to consider turning net.ipv4.tcp_sack off. | ||
- | If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall configuration. You may fully understand the consequences of streaming on your ISP quota but maybe the rest of the family may not: giving them a quota might save you a fit when you need to do an urgent job that requires internet connection. There a re various ways you could go about putting quotas on specific clients on your LAN just keep in mind a few things: | + | If your ISP gives you some sort of traffic quota you may want to add some quotas to your firewall configuration. You may fully understand the consequences of streaming on your ISP quota but maybe the rest of the family may not: giving them a quota might save you a fit when you need to do an urgent job that requires internet connection. There are various ways you could go about putting quotas on specific clients on your LAN just keep in mind a few things: |
* rules with quotas stop matching once quota is exceeded | * rules with quotas stop matching once quota is exceeded | ||
* flushing your tables will reset all quota counters | * flushing your tables will reset all quota counters | ||
Line 595: | Line 595: | ||
Please note the above script only works on 2.6 kernels or above. This probably also applies to socklist. | Please note the above script only works on 2.6 kernels or above. This probably also applies to socklist. | ||
+ | |||
+ | ===== 5.5 Virtual AP ===== | ||
+ | If your wireless NIC supports it you might like to run multiple virtual APs. As mentioned in Chapter 2 to be able to do this | ||
+ | you will need the "valid interface combinations" | ||
+ | If this is the case then you can add virtual AP like this | ||
+ | |||
+ | iw phy0 interface add vap0 type __ap | ||
+ | or | ||
+ | iw wlan0 interface add vap0 type __ap | ||
+ | | ||
+ | this will create a new virtual AP, arbitrarily called vap0 on which you will need to activate a separate instance of hostapd as explained in Chapter 4. | ||
+ | Incidentally the type can be any of of these (as long as your wireless NIC supports them): | ||
+ | |||
+ | * monitor | ||
+ | * managed | ||
+ | * wds | ||
+ | * mesh | ||
+ | * ibss | ||
+ | * __ap | ||
+ | |||
+ | |||
+ | if you subsequentlt want to remove the virtual AP toy can terminate the hostapd running on it, optionally put the nick in down state and then tell iw you want to delete the virtual device: | ||
+ | |||
+ | iw vap0 del | ||
+ | | ||
====== 6 Remote Administration ====== | ====== 6 Remote Administration ====== |