Configuring Linux as a Wireless Router (Configure Wireless Card as AP on Separate Network)?

3

1

I have a custom built home security system I am working on using Arch Linux, Zoneminder, and a set of Foscam FI9800P wireless IP cameras.

The system being built has a gigabit ethernet port which I would like to use to connect it to the primary home network to access the Zoneminder web UI. It also has a PCIe wireless card which I would like to use to host a completely separate wireless network isolated from the primary network. This network will be used exclusively for the IP cameras to help eliminate bandwidth usage on the primary network.

The issue I'm running into and can't seem to find a solution for is that I can use create_ap to establish an access point but I want it to be a separate network. All resources I've found searching online describe access points only and nothing regarding a wireless router. There are article on the archwiki for creating a router (which I've followed), and internet sharing (which doesn't detail wireless APs) but I can't find anything for this circumstance.

Can anyone help in either pointing to documentation or detailing any methods to use a Linux based PC as a wireless router?

EDIT (For clarification)

It's mainly just the wireless aspect I need info on. I have another computer on my nework set up nearly the same in a hardwired configuration as my home router, were this two ethernet interfaces I'd be golden, it's the wireless AP and getting it working that I'm having the trouble with.

FatalKeystroke

Posted 2017-02-28T15:03:32.353

Reputation: 33

Answers

2

This is actually much easier than you think, you just need to install and deploy hostapd and dnsmasq.

hostapd transforms your wifi interface into an access point. There is a pre-condition to this, that the wifi card supports AP mode: you test it as follows,

iw list | less
  .....
software interface modes (can always be added):
             * AP/VLAN
             * monitor

If AP appears where it is, then you are good to go. A typical hostapd configuration file, /etc/hostapd/hostapd.conf, looks like this:

interface=wlan0
driver=nl80211
beacon_int=100
hw_mode=g
ieee80211n=1
wme_enabled=1
country_code=US
ssid=MySSID
ieee80211d=1
channel=3
wpa=2
wpa_passphrase=MySuperSecretPassword
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0
ignore_broadcast_ssid=0
#logger_syslog=-1
#logger_syslog_level=2
#logger_stdout=-1
#logger_stdout_level=2

This configuration file does not include the statement 

bridge=br0

because you indicated no desire to set up a wired component of the LAN, just the wireless one. The bridge is generally used so that the router appears at the same IP address to both wired and wireless clients, and to simplify routing.

The wifi needs an IP address, 

ip addr add 192.168.251.1/24 dev wlan0

and IPv4 forwarding to allow wifi clients to talk to the world. Lastly, you need to setup dnsmasq to setup DHCP and DNS services for your clients. A typical /etc/dnsmasq.conf configuration file looks like this, 

domain-needed
bogus-priv
dhcp-authoritative
no-dhcp-interface=eth0
interface=wlan0
server=/someremote.lan/192.168.1.1
local=/my.lan/
server=8.8.8.8
server=8.8.4.4
expand-hosts
domain=my.lan
dhcp-range=192.168.251.32,192.168.251.90,12h
dhcp-host=AA:BB:CC:DD:EE:FF,SomeName,192.168.251.129,12h
dhcp-host=00:11:22:33:44:55,hp-printer,192.168.251.210,12h
dhcp-option=119,my.lan,someremote.lan
dhcp-option=252,"\n"
dhcp-host=AA:11:BB:22:CC:33,ignore
cname=SomeOtherName.my.lan,elastix

where I kept some features which may or may not be of interest to you.

Enable both services via systemctl, make sure the wifi card has an address at boot time, enable MASQUERADING on the internet-connected interface,

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

and you are good to go.

MariusMatutiae

Posted 2017-02-28T15:03:32.353

Reputation: 41 321

That works except the IP for the WAP isn't persistent over reboots. I'm having weird behavior now though, it's automatically assigning the WAP with 169.254.156.239/16 at boot time. I can reassign it manually as in your answer but when I set a netctl profile to give it 172.16.0.1 it doesn't persist. Other than that you've solved my problem, thank you very much for the help. – FatalKeystroke – 2017-02-28T20:05:13.793

Nevermind, I just set Bindsto in the systemd service for hostapd to wait for the network interface and it was good. – FatalKeystroke – 2017-03-01T03:41:28.003

Cool, looks as if you got what you needed. – asmith – 2017-03-01T10:25:32.027

0

For this, correct me if I am wrong, but I am going to run under the assumption that you know a little more than the average Joe when it comes to understanding networks and how Linux works.

Also if I have read this correctly, you can create an Access Point using your current network card (You didn't specify the make and model, as some wireless cards can only do ADHOC not AP mode) but the only issue you are having is that the wireless network ends up being on the same network as everything else.

I found a forum that may help you in creating a separate network for your wireless interface, even though this talks about wired interface's I am sure you can adjust it for your needs.

And I am not sure if you know how to use IPTables to create firewall rules to segregate the networks and traffic flow. If you need this info, let me know, I will put something together.

Here is a link to the forum I found: http://www.linuxquestions.org/questions/linux-networking-3/setting-up-a-dhcp-server-with-multiple-network-interfaces-debian-648404 Even though it says debian, The dhcp server should be the same in arch as it is in debian/ubuntu.

Here is a run down of what is on the forum:

Posted/Credits by/to Srz0rz, Auckland, New Zealand:

/etc/dhcp3/dhcpd.conf

##########################################
#####----- Global Configuration -----#####
##########################################
ddns-updates off;
option T150 code 150 = string;
deny client-updates;
#one-lease-per-client false;
#allow bootp;

ddns-update-style none;

option domain-name "vlan.local";
option domain-name-servers    210.56.15.1, 231.117.250.27;

default-lease-time 6000;
max-lease-time 7200;

authoritative;
##############################################
#####----- End Global Configuration -----#####
##############################################

###############################################
#####----- Start Modem Configuration -----#####
###############################################
subnet 192.168.1.0 netmask 255.255.255.0 {
  interface eth0;
}
#############################################
#####----- End Modem Configuration -----#####
#############################################

####################################################
#####----- Start Downstairs Configuration -----#####
####################################################
subnet 192.168.0.0 netmask 255.255.255.0 {
  interface eth1;
  default-lease-time 6000;
  max-lease-time 7200;
  option subnet-mask 255.255.255.0;
  option routers 192.168.0.254;
  option broadcast-address 192.168.0.255;
}
##################################################
#####----- End Downstairs Configuration -----#####
##################################################

##################################################
#####----- Start Upstairs Configuration -----#####
##################################################
subnet 10.0.0.0 netmask 255.255.255.0 {
  interface eth2;
  default-lease-time 6000;
  max-lease-time 7200;
  range 10.0.0.100 10.0.0.200;
  option subnet-mask 255.255.255.0;
  option routers 10.0.0.254;
  option broadcast-address 10.0.0.255;
}
################################################
#####----- End Upstairs Configuration -----#####
################################################

#####################################################################
#####----- Start Server and Fixed IP Address Configuration -----#####
#####################################################################
group{
  ###--- Any global server settings should go here ---###

  #- Printer -#
  host printer {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address 10.0.0.25;
      }
  #- J computer -#
  host j {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address 10.0.0.105;                   
  }
  #- TServer computer -#
  host tserver {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address 10.0.0.110;
  }
  #- Windows 2008 Server -#
  host win2008server {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address 10.0.0.115;
  }
  #- Asterisk Box -#
  host asterisk {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address 10.0.0.120;
  }
  #- WWW Server -#
  host www2 {
      hardware ethernet 00:00:00:00:00:00;
      fixed-address 10.0.0.125;
  }
}
###################################################################
#####----- End Server and Fixed IP Address Configuration -----#####
###################################################################

NOTE: I have changed the ip addresses and zeroed out the MAC addresses of the interfaces. You should assume that each interface for the server section has a unique MAC address.

I have also tried adding the interfaces in the /etc/default/dhcp3-server file:

# Defaults for dhcp initscript
# sourced by /etc/init.d/dhcp
# installed at /etc/default/dhcp3-server by the maintainer scripts

#
# This is a POSIX shell fragment
#

# On what interfaces should the DHCP server (dhcpd) serve DHCP requests?
#       Separate multiple interfaces with spaces, e.g. "eth0 eth1".
INTERFACES="eth1 eth2"

But still no luck getting it to work on the eth1 interface. I'm wondering whether the 'interface ethX' lines in each subnet stanza are recognized. Basically I'm just trying to say that any requests for dhcp leases coming from eth1 should get the 192.168.... subnet and any requests for dhcp leases coming from eth2 should get the 10.0.... subnet.

Posted/Credits by/to emi_ramo, Barcelona, Spain:
range 192.168.0.50 192.168.0.100;
inside each subnet. If problem persists, come here again.
See you!!
emi

Posted/Credits by/to Srz0rz, Auckland, New Zealand:

Thank you emi_ramo! Adding the line 'range 192.168.0.200 192.168.0.253' to the 192.168.0.x subnet declaration worked. I can't believe it was that simple.

This I hope should get you what you need as far as two networks, but remember to use IPTables to make sure there is network segregation (Let me know if you need help with this also), and if needed, routes in place, which should already be handled by the dhcp server.

asmith

Posted 2017-02-28T15:03:32.353

Reputation: 331

To address your assumptions: -- I don't have a degree or anything but I am very familiar with networking principles and have enough knowledge to do this, I just can't find resources on how to do the wireless access point as an interface to the computer (for which the routing capability is already mostly taken care of). -- The wireless card does have the ability to act in AP mode, I can already get it working as described just not in the way I want. I will take a look ere and play around with this to see if I can get it to solve my problem, thank you. – FatalKeystroke – 2017-02-28T16:17:07.933

Can you point me to resources that you already used to get you to where you are at, I will read over them and see if I can help you from there. So did anything I posted help or do I have to scratch that – asmith – 2017-02-28T16:20:17.127

A mashed combination of existing knowledge plus Router - Archwiki, Netctl - Archwiki, Shorewall - Archwiki (Which I previously was unfamiliar with), How to Create an 802.11n AP (Which only gave me an AP to the main network), Software Access Point - Archwiki. -- I'll have to spend some time looking at your link to find out.

– FatalKeystroke – 2017-02-28T16:28:54.623

And sorry about the link dump style, but I got bits and pieces from each. – FatalKeystroke – 2017-02-28T16:29:26.210

Correction, that's not quite what I need, it's setting up the WAP as an interface which will accept connections from client devices (cameras, and my phone to set up the cameras). It's just the Wireless aspect I can't get working, everything else I'm good on. – FatalKeystroke – 2017-02-28T16:32:23.770

Ok, I will go over your links and report back and I will work on finding a solution for you, the problem seems all to simple now to have a complicated answer, but isn't that the way it usually happens... :D – asmith – 2017-02-28T17:00:10.143

That's what I've found in my experience too, I feel it's going to be something small and simple that I just haven't found. Thank you for your help. – FatalKeystroke – 2017-02-28T17:04:26.047

Asked: 2017-02-28T15:03:32.353

Viewed: 5 405 times

Active: 2017-03-02T04:25:39.780