Build a Wireless Access Point
With some open-source software, some hardware, and a lot of handiwork, you can make your own WAP.
By William Arbaugh
Before I tell you how to build your own wireless access point, I need to set one thing straight: You're not going to save money doing it yourself (although you won't pay much more than the price of an off-the-shelf WAP). But that's not going to stop me from showing you how to build a WAP on today's show.
Here are a few reasons why you should build your own WAP.
You can highly customize how your WAP behaves.
You'll learn how a WAP works.
You can impress your friends with your skills.
It's fun to put something together.
I use a small, inexpensive, commercial-embedded system board from Soekris Engineering. There are several software packages you can use, but I use an open-source application called m0n0wall. It provides a firewall and a Web-based configuration interface. And since it's open source, you can change it.
Wireless architecture and security
Treat all WAPs just as you do an Internet connection. They need to be protected from unauthorized use by your neighbors and passersby. The level of protection depends on what you're doing on the network, as well as the threat to your network. My how-to provides protection for most ordinary users, but I'll also tell you how you can easily increase your protection without much additional effort.
This project builds a combination firewall and WAP. If you're going to use the WAP in this how-to you can get rid of your current network address translation/firewall box, if you already have one. See the basic architecture where m0n0wall is the firewall and WAP.
M0n0wall will be set up to use WEP (wired equivalent privacy). WPA (Wi-Fi protected access) provides the best protection, but it hasn't been incorporated into any open-source projects. WEP has problems, but several mitigation strategies make it difficult (but not impossible) to successfully exploit a network using WEP with IV filtering.
If network security is of utmost importance, use IPsec in addition to WEP.
William Arbaugh is co-author of "Real 802.11 Security: Wi-Fi Protected Access and 802.11i."
Parts and Tools
The Soekris 4521 uses an AMD ElanSC520 processor with 16 to 64MB of SDRAM. It has a pair of 10/100 Ethernet ports (RJ-45), one serial port (DB9), a mini-PCI type III socket, and a CompactFlash type I/II socket. The board uses 10 watts of power and runs on 7 to 56 volts DC. Power-over Ethernet is provided using the 802.3af standard.
The boards are widely used by researchers and hobbyists around the world, and they have proven to be very dependable.
Bill of materials
One Soekris 4521-30 with case and 64MB RAM or Soekris 4511, $235 (part no. 10452131)
One kit with PCMCIA card, MMCX-RP-TNC pigtail, and rubber duck antenna, $114 (part no. KIT-EXT1-5-SOEKRIS)
One SanDisk CompactFlash Card (32 or 64MB), about $30
M0m0wall image for the Net45XX
Tools
Phillips screwdriver
USB CompactFlash reader
Computer running UNIX or Windows NT/2000/XP with a USB port
Female DB9 to Female DB9 null modem serial cable
Instructions for Building Your WAP
Remove the four black screws from the bottom of the 4521 case. Open the case.
Remove the screw post from in front of the CompactFlash socket.
Connect the pigtail to the leftmost antenna opening on the case (ant 1) with the two screws provided in your kit.
Hold the PCMCIA card so you can read the writing on the front of the card. The bottom connector is the main antenna connection for the card. This is where you will be connecting the pigtail. (Connecting the pigtail in the wrong place significantly reduces the signal strength.)
Insert the PCMCIA card into the rightmost socket on the Net4521 circuit board (J4).
Install the m0n0wall image onto the CompactFlash card following the instructions. If you are not completely comfortable with Unix, I highly recommend using Manuel's physwrite (found on the m0n0wall site) program under Windows NT/2000/XP with a USB CF reader. The program will determine the appropriate disk parameters for a successful write.
Insert the CF card into the socket and reinsert the screw post.
Attach the antenna to the connector.
Configure m0n0wall via the configuration instructions for a Net 45XX.
Once you've successfully configured m0n0wall and you're sure everything is working, reassemble the case with the four black screws.
Configure the M0m0wall Software
Attach the null-modem cable to the WAP and your computer's serial port. (Check the BIOS to see if your serial port is enabled. The serial ports on IBM Thinkpads are disabled by default.)
Open your favorite terminal application and set the baud rate to 19200 (the Soekris default).
Power up your WAP.
Once you see the boot counter, hit Ctrl + P on your keyboard to stop the comBIOS boot process and enter the monitor command prompt.
Type "set conSpeed=9600" (without quotes) to set the console speed to 9600 baud. See an example.
Turn off the WAP and unplug it.
Set the baud rate for your terminal application to 9600 baud.
Reapply power to the WAP, and you should see the boot process begin again.
You should see the m0n0wall serial configuration prompt. Here's what it looks like.
Assign the wireless device to the m0n0 configuration. Press 1 to assign interfaces. Now enter sis0 for the LAN interface, sis1 for the WAN interface, and wi0 as the optional interface, as shown here. Finally, hit Return. The system will now reboot.
Use the Web interface
After completing the above steps, you're going to use the Web interface to configure the WAP.
Connect the Ethernet port on the WAP to a switch, hub, or to your computer with a cross-over cable.
Open your Web browser, enter "http://192.168.1.1" (without quotes) in the URL box, and hit Return.
A dialog box should appear.
User name: admin
Password: mono
You should see the main webGUI configuration window.
Click on the OPT1 entry under Interfaces. This will take you to the wireless configuration page.
You want to select the "Enable Optional 1 Interface" box, and enter a name in the description text box. I used the name WiFi.
Under IP Configuration, you want to select LAN from the pull-down menu where it says "Bridge with." This will create a bridge between your wireless network and LAN so all of your computers share the same LAN segment.
Now set a name, or SSID, for your network and leave everything else the same. We're not setting the WEP key here because we want to make sure things work. If you desire additional protection, you'll need to look into using the IPsec support provided with m0n0wall.
Click Save and wait for the page to update itself.
Now we need to add a firewall rule so traffic from the LAN interface is forwarded onto the WiFi interface. Select Rules under the Firewall column. You should see this screen with one default rule listed.
Click on the rightmost + sign to add the new rule. Then modify the following settings.
Action: Pass
Interface: WiFi
Source: LAN subnet
Destination type: Any
Description: Enter a name so you can recognize the rule
.
Save the rule. On the next screen click Apply changes. Your changes won't go into effect until you click this button.
There is only one more thing to configure: the password. In the gray column on the left, click General Setup.
You should be at the System: General setup page. Under the Password setting, enter your new password in the provided spaces.
Under Time Zone, pick the zone closest to you.
Click Save.
Final steps
Assuming your ISP provides you with an address via DHCP, take a network cable and connect the Eth1 port of the WAP to your cable/DSL modem. The Eth0 port is your local area network; connect that one to a switch or hub. If you want to make a direct connection to your computer without a switch or hub, then you need a cross-over cable.
Now reboot your wireless AP/firewall, and it should obtain an address from your ISP. Once the system has rebooted, you can connect your computer to the switch/hub or wireless network. The system contains a DHCP server so you shouldn't have to do any configuration on your computers as long as they're set up to use DHCP which most are.
Now from a terminal window on your computer, enter the command ping 192.168.1.1. This will test your WAP. If you get a response, then try and ping a host on the Internet such as ping www.techtv.com.
Go back and set a WEP key for the Wi-Fi interface as well as on all of your wireless computers. Not using WEP will leave your network wide open for anyone who cares to use (or abuse) it. WEP was not turned on initially here only to make initial testing easier.
After you set the WEP keys, turn WEP on and you're done.