[lug] Wi-Fi Firewall

Nate Duehr nate at natetech.com
Mon Oct 14 15:29:36 MDT 2002

> been away for a few years, but have always followed the list
> where I was at,
> been a great resource for info and assistance. Anyhow I've recently moved
> back to Boulder. Living up beyond the reach of Quest DSL and AT&T
> broadband
> (though this is probably a blessing) I'm using an 802.11b WISP up here in
> the hills and want to build a combination wireless-bridge/Access
> Point/router/DHCP server/firewall linux box, mostly for fun but also as
> necessity. Not even sure there's a single off-the-shelf solution that does
> all these things at the same time, though I'm sure I could accomplish the
> same thing with a few products strung together, but I'm trying to
> eliminate
> as much cat 5 as possible.  That and I like to make things difficult ;o)

Hahaha... been there!

> Thought I'd pick up an old Pentium or PII box, slap in 2 Orinoco
> wi-fi cards
> w/PCI sleds and a regular NIC The regular wired NIC is mostly for
> setup and
> troubleshooting as well as any wired clients that may need access. Then
> attach a pigtail to one orinoco card from the external antenna for the
> bridge and put the other in infrastructure mode. On the
> software/system side
> run dhcpd, iptables & IP Masquerade. Which leads me to my questions.

This is "do-able" if the WiSP folks are not using any of the commercial
products that mess with the wireless card and make it do special security,
etc.  (Karl-Net, etc.)

> 1. Does anybody see any problems with or have any suggestions for
> this idea?

Have built a box similar to this.  The ISA-to-PCMCIA adapter things are
useful.  However putting two of them in the box can be problematic for three
reasons: 1) space  2) RF interference between the two cards  3) IRQ and the
usual addressing collisions with ISA-bus cards... all that fun stuff.

> 2. Anybody tried anything like this?

See above.  (GRIN)

> 3. Anybody got an older box they want to get rid of? I know i can pick one
> up on ebay, but the shipping is usually as much as the box is worth ;o)
> Figured I'd ask around first.

Sorry, I've used up all of my toys ... of course if my work situation
continues to be bad, I'll happily sell you all these boxes... heh.

Other things to watch out for...

If you're planning on having the thing act as an access point for other
wireless clients, you'll have to go with the Prism II chipset wireless
cards.  There's code out to make those cards act in true access point mode.
Otherwise you'll be in Ad-Hoc mode, and depending on the mix of cards, you
may or may not be able to do proper encryption stuff.

Once the wireless cards are up and talking, the rest is "standard" iptables
or ipchains, or whatever you like to use for the NAT and routing... only
thing to avoid is don't try to mix the kernel bridging software with
wireless cards... it doesn't work right.  (GRIN)  Tried that.

If you're wondering about other stuff, I probably forgot to mention a bunch
of stuff... ask away, I'll try to help.  It was a massive waste of time to
get all this working for a friend, but eventually we got it.  Typical...
time vs. money thing... we had the time... (GRIN).  We also didn't get
everything working the way we wanted, but we were just messing around.  The
Prism II access point stuff never acted the way we wanted it.

We ended up using the wireless card to get to his WISP and then going out
the standard ethernet card to a switch (could have easily been a hub, it's
just what we had lying around...) and then he bought a real access point and
put it on a different frequency away from his WISP connection for his
wireless clients... most of his machines were wired already, so this worked
out well for him...

Me personally, I've been playing with the WET11 from Linksys, their new
little "client" gadget that acts as a bridge to a wireless network already
in place and bridges to Ethernet... that's a neat little box... but doubtful
that you could use it with your WISP???  Ask away if you need info on it,
with an external antenna, it might work, depending on how the WISP is set up
networking-wise.  The one I'm using here works great... bridges a bunch of
machines in one location in the house to the basement to the access point,
no problem... cheap ethernet cards in the machines and a cheap switch behind
the WET11 works well.

If I misunderstood what you're trying to do, holler.

Nate, nate at natetech.com

More information about the LUG mailing list