Wireless LAN Information

This is a basic run-down of how I managed to get my home firewall to work with a Linksys WPC-11 wireless card in a WDT-11 PCI adapter (which is a PLX adapter) in ad-hoc mode, since the AP code isn't readily available.

My internal network consists of two separately-routed internal segments- one ethernet (eth1) and one wireless (wlan0). My eth0 internface is connected to a DSL modem (not a router- it's an Adtran ADSL-1000, which is basically a DSL-to-ethernet bridge.)

The firewall/wireless machine itself is a Pentium-120 with 64MB RAM, 6GB hard drive, and already had two ethernet cards before the wireless stuff was ever brought into the picture- I have been using it as my home firewall for about two years now.

The machine is running RedHat 7.1 with the kernel upgraded to 2.4.9 (which was the newest version when I compiled it.)

I have to apologize for it taking so long to get this page up- several people have been asking for this information. My main server's hard drive physically died and I lost everything- it was rather ironic because I was getting ready to replace it with a faster box (which is now the current server) and the only thing remaining to do was to copy the data from the old drive to the new one... If anyone ever tells you to make sure you have regular reliable backups, listen to them. (I'm now mirroring all of the site's files to another machine via rdist and ssh.)

Update Code on the Card

In order for ad-hoc mode to work, the code inside the pcmcia card itself has to be upgraded to version 0.8.3 or higher. My card came with 0.8.2 on it.

I downloaded the upgrade utility and the new code from SMC's web site (choose "Drivers & Downloads" on the left, and tell it you have an SMC2602W card. One of the options is a firmware upgrade utility, and their description even says it's for Linux users.)

You have to run their upgrade utility on an MS-Windows machine to actually do the upgrade- I was able to do this on my laptop.

Modify Source Code

I started with the stock "linux-wlan-ng-0.1.10" code and had to make one change to src/prism2/driver/prism2sta.c so the software would recognize my PLX adapter. When I ran the ./Configure script I said no to the pcmcia-cs and native PCI options.

Line 121 of this file was:

#define PCIDEVICE_GL24110P 0x1101UL

I had to change the value as follows:

#define PCIDEVICE_GL24110P 0x1102UL

Init Script

Being based on the RedHat distribution, my system uses a set of scripts in /etc/rc.d/init.d/ to start and stop the various services on the machine. I read the etc/pcmcia/wlan-ng script included with the source package to figure out how to start ad-hoc mode correctly.

After copying this file into place, on a RedHat system the following command will set the system to run it (with the "start" command-line option) when it boots up:

chkconfig --level 2345 wlan on

DHCP Server

After getting ad-hoc mode working, I was only able to test it using my Cassiopea E-125 (a handheld computer) with a wireless card (the D-Link DCF-650W card) by giving the handheld a fixed IP address. However, I also use the handheld on the wireless network at the office and use DHCP to get an address there, and it's a pain to have to re-configure the unit every time I go into the office or come home.

The solution, of course, was to have my DHCP server (which I was already running on my inside ethernet card) also listen on the wireless card.

You will have to modify the /etc/dhcpd.conf (download below) to reflect your own network and your machines. The /etc/rc.d/init.d/dhcpd file is RedHat's script, modified to automatically attach to the correct interface or interfaces when it starts (I don't attach it to eth0, since that is my DSL connection and I think Sprint might have issues with me running a DHCP server on their network.)

Security

Before I actually started the card the first time, I knew I didn't want to provide free wireless internet service to my neighbors. I set up static mappings in /etc/dhcpd.conf for my own card (and later for the Linksys USB adapter that I purchased) to give IP addresses to those two devices, but nobody else.

There are ways around this, of course. Anybody who can physically get close enough to "sniff" my wireless packets out of the air could figure out what IP addresses exist in my house, and manually assign one of them to their own card. They could also figure out my encryption key, given enough wireless traffic (see airsnort.)

My next step was to configure my firewall to only accept packets on the wireless interface which originate from a known MAC address. I'm not going to include the full text of my firewall script, but the relevant lines are:

IPTABLES=/sbin/iptables
WIF=wlan0

...

$IPTABLES -N WIN
$IPTABLES -m mac -A WIN --mac-source 00:04:5A:xx:xx:xx -j RETURN # WPC11 (me)
$IPTABLES -m mac -A WIN --mac-source 00:05:5D:xx:xx:xx -j RETURN # DCF-650W
$IPTABLES -m mac -A WIN --mac-source 00:06:25:xx:xx:xx -j RETURN # WUSB11
$IPTABLES -A WIN -j DROP

$IPTABLES -A INPUT -i $WIF -j WIN

However, anyone who has a utility to change the MAC address of their wireless card (SMC's upgrade utility offered to let me do this) could change his MAC address to one that they see while they're sniffing, and gain access that way.

I haven't figured this one out, but the chance of somebody with the technical know-how to run airsnort actually WANTING to break into my home's network are slightly less than the chance of monkeys flying out of my ...

Files

Download my modified src/prism2/driver/prism2sta.c (please let me know if I'm breaking somebody's copyright by making this file available for download here, I will remove it immediately.)

Download my /etc/rc.d/init.d/wlan
Download my /etc/rc.d/init.d/dhcpd
Download my /etc/dhcpd.conf

Future

Everything above has been working for the last month or so. I have been playing with a couple of things, with only limited success...

I'm trying to do actual bridging between eth1 and wlan0. The bridge is set up and the two subnets are combined into one (my dhcpd.conf has no "range" statement at all now.) My hope is that, even though the linux machine knows nothing about any protocols other than IP, i will be able to pass IPX between my laptop (WinME, wireless usb adapter) and my desktop (WinXP-Pro, ethernet.)

Both ethernet and wireless machines can get out to the internet with no problems. However, they can't ping each other- the wireless machines can't ping the ethernet machines, and vice-versa. Both of the wireless machines (the laptop and the handheld) can ping each other, and the ethernet machines can all ping each other. Doesn't sound like bridging to me.

This is only the second time I've played with bridging, and the first time was non-successful (I was trying to bridge an ethernet with a token ring card, and it turned out the token ring driver didn't support the bridging driver.) If anyone can help, please let me know.

The other thing I'm trying to play with is running the firewall's wireless card as an actual AP. Just now I was able to download the t10003c7.hex file using the anonymous cvs instructions on this page, but I haven't actually tried it yet (because I'm typing this web page, and then I'm going to sleep.)

Update

2002-05-19: Life goes on, circumstances change. I had no success with bridging, and inconsistent results with using the card in AP mode (the card broadcast the AP carrier signal one time, but the handheld couldn't connect to it for some reason). I finally broke down and purchased a Linksys BEFW11S4, which is an AP, a four-port switch, and a firewall/router for a DSL/Cable connection, all in one.

I can now walk around my house with the laptop, mapping drives on the desktop machine and accessing the Internet, which is all I really wanted in the first place. (The router doesn't do MAC-level security, so I turn the wireless functionality off when I'm not using it.)

A back-burner project at work currently has me trying to figure out how to make Orinoco wireless cards act as AP's in a laptop (instead of shelling out the bucks for an AP that's only going to be used maybe once every two months). The Orinoco cards aren't made by Intersil so I doubt the linux-wlan list would be able to help.

Since RedHat comes with the drivers for this card, I've managed to get them working in Peer-to-Peer mode as a DHCP client, IP only (which is all we need to set up a wireless Internet booth at a festival in the park in downtown Kissimmee.)

[hacker emblem] John Simpson <jms1@spamcop.net>
Original 2001-11-18, last updated 2002-10-22