In Other Words

I had a bit of a technical challenge to solve in our house recently.  I wanted to create a guest WLAN, as well as another WLAN for Alex’s Nintendo DS.  The challenge?  The DS only does WEP.  No WPA at all.  Not being interested in giving unrestricted access to either group, particularly the latter, I decided it would be useful to deploy both SSIDs on the same AP, and try to map the different SSIDs into different VLANs.

Our firewall is a Juniper Networks SRX210, which lends itself very well to this task, as it supports ethernet switching natively.  First up was creating a couple of VLANs & RVIs on the firewall and assigning them to security zones.  These RVIs will need to have dhcp allowed on their as an inbound system service.  Next, some security policies will need to be created to allow devices in the new zones to talk out to the untrust (i.e. Internet) zone.  Next, you’ll need to configure a VLAN trunk on the port connected to the wireless AP (fe-0/0/6 in our example).  Finally, you’ll need to setup DHCP helpers for each of the RVIs to direct their DHCP requests to your DHCP server.  If you use the SRX as your DHCP server, you would instead configure a DHCP scope for these networks.  Here’s an example of what that might look like:

set vlans vlan2 vlan-id 2
set vlans vlan2 l3-interface vlan.2
set vlans vlan3 vlan-id 3
set vlans vlan3 l3-interface vlan.3

set int fe-0/0/6.0 family ethernet-switching port-mode trunk
set int fe-0/0/6.0 family ethernet-switching vlan members [ vlan2 vlan3 ]
set int vlan.2 family inet addr 192.168.2.1/24
set int vlan.3 family inet addr 192.168.3.1/24

set forwarding-options helpers bootp interface vlan.2 server 192.168.1.20
set forwarding-options helpers bootp interface vlan.3 server 192.168.1.20

set security zones security-zone guest interfaces vlan.2 host-inbound-traffic system-services dhcp
set security zones security-zone guest interfaces vlan.2 host-inbound-traffic system-services ping

set security zones security-zone dsnet interfaces vlan.3 host-inbound-traffic system-services dhcp
set security zones security-zone dsnet interfaces vlan.3 host-inbound-traffic system-services ping

But that’s only half of the battle.  We still need to setup the AP.  In our example, I used a Fonera Fon 2100.  Instructions for how to reflash it with OpenWRT can be found on their wiki.  Once you’ve got that together, you’ll need to make some mods to their stock network configuration to make it work, but it’s not so bad.  Essentially, you’ll make 2 SSIDs, and bind them to 2 VLAN-tagged sub-ints of eth0, forming 2 bridge groups.  In OpenWRT, when you create an interface of the form eth0.X, where X is in the range 1-4094, you’ve just created a tagged sub-int.

/etc/config/network:

config 'interface' 'loopback'
option 'ifname' 'lo'
option 'proto' 'static'
option 'ipaddr' '127.0.0.1'
option 'netmask' '255.0.0.0'

config 'interface' 'guest'
option 'ifname' 'eth0.2'
option 'type' 'bridge'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'ipaddr' '192.168.2.2'
option 'defaultroute' '0'
option 'peerdns' '0'
option 'stp' '1'

config 'interface' 'dsnet'
option 'ifname' 'eth0.3'
option 'type' 'bridge'
option 'proto' 'static'
option 'netmask' '255.255.255.0'
option 'ipaddr' '192.168.3.2'
option 'stp' '1'
option 'defaultroute' '0'
option 'peerdns' '0'


/etc/config/wireless:

config 'wifi-device' 'wifi0'
option 'type' 'atheros'
option 'channel' 'auto'
option 'disabled' '0'
option 'diversity' '0'

config 'wifi-iface'
option 'device' 'wifi0'
option 'mode' 'ap'
option 'ssid' 'dsnet'
option 'encryption' 'wep'
option 'key' 's:myWEPkey12345'
option 'macpolicy' 'allow'
list 'maclist' 'e8:4e:ce:xx:yy:zz'
option 'network' 'dsnet'

config 'wifi-iface'
option 'device' 'wifi0'
option 'ssid' 'notyourhouse'
option 'network' 'guest'
option 'mode' 'ap'
option 'encryption' 'psk2'
option 'key' 'guestWPAkey'

Now you’ve got both SSIDs up, each bound to a different VLAN, and can enforce different security policies on each!

My latest project with the eee 1000 was to get some better wifi range, possibly saving some battery life in the process.  My first thought was to go for a replacement antenna.  I ordered one on eBay, and was prepared to do a bit of mod work to get it done.  Just then, the seller didn’t send me my antenna parts, but instead sent me an Intel Wifi Link 5300 MiniPCIe card.  We agreed to just call it even at that point.  I bought a different antenna at that point.  You’ll see why.

Conventional wisdom calls for (as many others have done previously) an Intel 4965 MiniPCIe card. The 5300 seems to be the successor to the 4965, boasting up to 450 Mbps of 802.11n performance.  Not having any 802.11n APs, I wouldn’t know about that just yet.  We’ll see.  Unfortunately, this card doesn’t have drivers in the mainline Linux kernel until version 2.6.27.  As I’m running Ubuntu Hardy (until Intrepid Ibex rolls out), and on kernel 2.6.24, no drivers exist, outside of the backported ones from compat-wireless guys.  Well, since the drivers exist, I decided to give it a go.

First up, grab the firmware and the drivers package.  Unpack the firmware and drop it in /lib/firmware.  Next, you’ll need to install the “build-essential” package, as well as the linux-headers packages appropriate for your kernel.  Unpack the drivers, check the config.mk file.  You should probably (as I did) uncomment the lines that enable support for the RFKILL code.  This is what gives you the ability to toggle the wifi on & off.  Do a make & make install (as root) to load the drivers up.  It will not overwrite existing mac80211 modules, and that’s a good thing.  Halt your machine and do the card swap.

Installing the card was pretty easy.  Pull the battery and unplug first.  After all, you don’t want to short things out, right? Ok, now remove the two screws that hold down the existing Ralink wifi card and pop the two antenna leads off.  Now install the Intel card and put the screws back.  Connect the white wire to terminal 1, and the black to terminal 2.  Terminal 3 is where you’ll need to connect the extra antenna.  I opted for a small antenna, typically used for a bluetooth radio, but since it’s a 2.4 Ghz antenna, it also works fine here. I snaked the wire through one of the small gaps in the plastic housing adjacent to the wifi card, and used the adhesive backing on the antenna to stick it in the hole where the hard drive goes on a 1000h.  Not sure where you’d want to put the antenna on a 1000h, but then again, that’s not my chief concern, as I’m working on a 1000.  Put back all the screws and you’re done.

Boot the system, and you should be all done.  The card should be automagically detected and have the iwlagn module loaded.  You’ll likely want to gently massage your /etc/acpi/eeepc-wifi-toggle.sh script to work with the proper modules.  Removing the module and echoing a 0 into /proc/acpi/asus/wlan (to power down the card) results in the card going into “deep sleep”.  My last bit is to figure out how to wake it from deep sleep, other than a reboot.