A few nights ago I decided I wanted wireless access at home. At the same time, I realised my bank account won't support the purchase of any additional wireless equipment. Its then that I recalled the fact I have a old blueberry laptop, that for one reason or another, runs netbsd. This blueberry ibook was also equipped with an airport card.
This document details (breifly, for I am never good on details) the process I went through of setting up a wireless router with MAC address xltering.
Note that I assume you already have netbsd 1.6.2 or greater installed. How to install netbsd on a blueberry ibook is a complete epic in itself, and frankly, I haven't the faintest idea how I accomplished it. I more or less woke up one morning, and it was booting. Honest.
My network is structured such that there are 2 subnets:
- 192.168.0.0/24 for lan
- 192.168.1.0/24 for wireless
steve@eva00::~> cat /etc/ifconfig.wi0wiconfig wi0 -c 1 causes the airport card to create IBSS, so other wireless devices can see it. -p 1 causes the card to enter into BSS mode. Now this isn't strictly correct, but some how it magically works. If you know why, feel free to let me know! :-)
inet 192.168.1.1 up media DS11 mediaopt adhoc nwid g3_bridge
!wiconfig wi0 -c 1
!wiconfig wi0 -p 1
steve@eva00::~> cat /etc/ifconfig.gem0
inet 192.168.0.4 up netmask 255.255.255.0
Routing and NAT setup
Routing and NAT under netbsd is fairly well documented, so I am just going to be brief:
- echo net.inet.ip.forwarding=1 >> /etc/sysctl.conf
- echo pass in all > /etc/ipf.conf
- echo pass out all >> /etc/ipf.conf
- echo map gem0 192.168.1.0/24 -> 0.0.0.0/32 > /etc/ipnat.conf
- echo ipfilter=YES >> /etc/rc.conf
- echo ipnat=YES >> /etc/rc.conf
- shutdown -r now
For one reason or another, ipf doesn't do MAC filtering, so we are going to do it via ARP tables. It might be nasty, but it works :-)
Basically we map all IP address to some dummy IP, so any one connecting will be royally buggered. To let a trusted host join the network, we will map their IP to their MAC address. I should pointed out that a sufficiently determined attacker can easily capture enough packets to determine both the IP and MAC address required to access the network. This is not the magic bullet, just another fence, and not even a tall one.
The arp utility is used to create our ARP table, and set the router to act as an ARP server on the wi0 interface, so it answers all ARP requests on the 192.168.1.0/24 network. The command
usage: arp -s hostname ether_addr [temp] [pub]is used to map a hostname (IP) to an ether_addr (MAC), and if the pub keyword is present, it will be published, and the server will act as an ARP server for that host. Now 192.168.1.0/24 has 256 hosts, and doing 256 such commands is a pain. Thankfully arp -f allows us to specify a file containing lines with the same syntax as above, to add entry to the ARP table. But this still requires a file containing 256 lines. Bummer.
Its at this point the legendary laziness of geeks prevails, and arp-deny is thus born. This simply program reads in a file containing trusted hosts' IP and MAC address, and generates output suitable for use with arp. I wrote a simple script to re-create the table, so I can easily add new hosts:
root@eva00::~> cat /usr/pkg/etc/rc.d/arp-deny.shYet another get-it-working-asap hack :-) For reference, here is my /etc/arp-allowed file:
# clear the table
/usr/sbin/arp -d -a
# re-generate the arp-deny list
/root/arp-deny/arp-deny 192.168.1. 00:00:00:00:00:00 /etc/arp-allowed > /etc/arp-deny
# re-populate it
/usr/sbin/arp -f /etc/arp-deny > /dev/null 2>&1
root@eva00::~> cat /etc/arp-allowedValues has of course been censored :-) To add a new host, simple do
echo IP MAC >> /etc/arp-allowed && /usr/pkg/etc/rc.d/arp-deny.shEasy as pie :)
This really calls for a bridge, but for some reason I could not get a wireless/lan bridge working, so the router option was taken. If you can create a bridge, then by all means, do it. Ignore this method completely.
With the above configuration, in order for your lan (192.168.0.0/24) clients to access their wireless (192.168.1.0/24) siblings, you need to add a static route, either on the machines or on your router, so that they use our router (192.168.0.4) as the gateway when attempting such communication events.
MAC filter is also rather weak. Its strongly encouraged that you read up on WEP and enable it.
Hope this was helpful :-)