Stay tuned!

So, here is the scenario, you need a wireless network for guests, it has to be easily accessible (i.e. can't require a WPA supplicant) and be secure. This is a common problem, and one that is not-so-easily solved. For example, you may want a separate wireless network for training rooms, on-site visitors, consultants, or for just general guests to your organization. Guest such as these typically only require access to the Internet and nothing else. The nice part is, all this can be done for under $300 (on a small scale with two access points), and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Of course, this is only the first step. In future parts we will show you how to add the security measures, such as captive portals, bandwidth shaping, intrusion detection, and firewalling. To get us started you will need:

• 2 Linksys WRT54GL Routers
• 2 Linksys POE Adapter - WAPPOE12 12V
• OpenWrt "Whiterussian" 0.9

Below are the step-by-step guidelines for getting the initial setup going:

Step 1 - Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!

Step 2 - Change the IP address of the routers, enable boot_wait, and set the hostname:

nvram set lan_ipaddr="10.10.10.5"
nvram set boot_wait="on"
nvram set wan_hostname="myap1"
nvram set wan_proto="none"
nvram commit

Step 4 - Harden and perfomance tune OpenWrt - Remove the packages that are not required:

ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d
mv S50httpd disabled_S50httpd
mv S50telnet disabled_S50telnet

Step 5 - Enable DHCP on each of the access points:

cat > /etc/init.d/S60dnsmasq

#! /bin/ash

/usr/sbin/dnsmasq &
CTRL-D

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime) dhcp-authoritative dhcp-range=10.10.10.100,10.10.10.150,255.255.255.0,12h dhcp-leasefile=/tmp/dhcp.leases

# use /etc/ethers for static hosts; same format as --dhcp-host
#
read-ethers

# other useful options:
# Default Gateway
dhcp-option=3,10.10.10.1

# DNS Servers
dhcp-option=6,10.10.10.6,10.10.10.7

Step 6 - Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.

Step 7 - Configure Wireless - Place the access points on their respecitve channels using the command nvram set wl0_channel=1. Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command nvram set wl0_ssid="guestwireless. Finally be certain to run nvram commit to commit your changes, and /sbin/wifi so that the wireless system picks up the new values.

You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math.

In Part II, we will show you how to implement a captive portal for guest authentication, and add additional layers of security such as intrusion detection and IP filtering.

PaulDotCom (Edits by Larry Pesce)

Over the past few months I've been contemplating a few projects for some WRTSL54GS routers with OpenWrt, however I really need these to have a high gain antenna on the WRTSL54GS. As you may recall, this model has a fixed antenna, with no option for adding one. I decided that I needed to fix that "design flaw".

Note: By adding various antennas to this device it may become possible to violate your local or federal regulations on output power. Be careful!

First off, we need to open the WRTSL54GS up. The screws are located under the rubber feet. Once apart, we need to de-solder the current, fixed antenna from the board. Follow the LMR cable from the antenna to the board, and de-solder both strands of the LMR from the board.

Once removed, the board should reveal two pads on which we need to solder our new connector.

Once de-soldered, we can remove the antenna from the case by pinching the end of the antenna on the inside of the connector. This will compress the size so that the outer locking ring will pass through the mount.

We need to make sure that we have an appropriate connector to attach a new antenna to. I happened to have scavenged parts from an old Linksys BEFSX series model. This old router had an internal PCMCIA card with two pigtails, one end with the standard RP-TNC antenna connector.

I removed the connector at the other end of the cable, as it is not important. I gave it a good pull, but certainly a pair of wire cutters will get the job done.

Strip the LMR cable back so that the inner and outer conductors are staggered. Match up the lengths that you need with the two pads to verify your length - the smaller inner conductor will be attached to the smaller pad on the board, while the outer conductor will be attached to the larger pad. Don't solder them together! This will create a short, and render your antenna inoperable, possibly even frying your router!

We also need to modify the case so that the external portion of the connector will fit through. My connector at the base was 3/4 of an inch, so I drilled a 3/4 inch hole into the edge of the case, right near the original connector.

Part of the selection of this location was so that it would still be at the top of the unit, and the board has a notch out of it at this location. The notch leaves a handy place to be able to fit the additional portion of the connector between the board and the edge of the case.

Once mounted, solder the LMR form our new connector to the board as described earlier. I utilized some electrical tape to maintain the bend in the LMR and to hold it down to the board. This allows me to have both hands free to solder!

Once complete we can reassemble our router and show off our new connector.

One of the nice features of using the RP-TNC connector is that we can reuse antennas from most of our other Linksys devices!

Have fun adding new antennas!

- Larry "haxorthematrix" Pesce
larry /at/ pauldotcom.com