Setting Up a Wireless LAN

Selecting wireless cards

Not all wireless LAN cards that you can purchase today will work with Linux. When you select a card, make sure that a Linux driver has been created for the card. You will also want to look for several other features:

• Card type — Most wireless LAN cards are in PCMCIA (PC-card) form. To use these cards in desktop computers you will probably need an ISA or PCI adapter card.

• Cost — If you shop around, you can find wireless LAN cards that cost between $29 and $100 (and the prices will probably have gone down by the time you read this). More expensive cards may include external antennas or better encryption (128-bit as opposed to 64-bit).

• External connector — Different wireless LAN cards have different types of connectors, which can lock you into buying antennas from the manufacturer of the LAN card if you are communicating outside of a small area. People who know such things tell me that it is possible to take apart the cards and hack together your own antenna. However, because I don't want to be responsible for wrecking your card, and because there are legal issues related to antenna usage, I don't recommend this.

• Configurability — If you really want to fine-tune your wireless LAN, find out how much control you have over configuring a card before you choose it. Descriptions of the iwconfig command later in this chapter will help you understand which wireless extensions you can manipulate. Refer to man pages for individual wireless-card drivers (for example, type man wvlan_cs), for information on specific parameters that you can change.

I chose to use Orinoco wireless PC cards from Proxim Corporation to illustrate how to set up a wireless Linux LAN. Although other wireless cards are supported in Linux, Orinoco cards seem to have particularly good Linux drivers, and many people have reported success using them. The cards are also relatively inexpensive (about $60 to $90 at the time of this writing). Before Proxim acquired the Orinoco line from Agere Systems, Orinoco cards were referred to as WaveLAN cards and were produced by Lucent Technologies (as well as AT&T and NCR).

Other wireless cards supported in Red Hat Linux are listed in the PCMCIA Card Configuration Database file (/etc/pcmcia/config). Table 15-1 shows the wireless-network adapters listed in this file, along with the module required by each.

The Orinoco PC cards I purchased use the orinoco_cs module. The cards come in two types: Gold Label, which offers 128-bit WEP RC4 encryption, and Silver Label, which offers only 64-bit WEP RC4 encryption. The two cards differ in cost by about $10. Both cards:

• offer compatibility with earlier WaveLAN/IEEE products.

• can communicate with other 802.11b wireless LAN equipment that has been Wi-Fi–certified by WECA.

• enable you to select transmission rates (11, 5.5, 2, or 1 Mbps), select channels (in the 2.4 GHz range), and use power-management features.

Because antennas are built into Orinoco PC cards, you may not need an additional antenna for indoor office environments. As with any wireless card, the distances you can achieve between your wireless nodes depend on transmission rate (lower speeds go farther), receiver sensitivity, and the amount and type of obstacles. At the maximum transmission rate (11 Mbps), the Orinoco card gives you an estimated range of between 80 feet (25 meters) in a closed area and 525 feet (160 meters) in an open area with no additional antenna.

Selecting adapter cards

If the computers on your wireless network are all laptops with PCMCIA slots, you only need to plug in your wireless cards to get started. However, if you are using a desktop computer with only ISA and PCI slots, you will also need an adapter card.

Before you purchase a wireless LAN card for your desktop computer, make sure that you can get a compatible adapter card. Proxim Corp. offers both ISA and PCI Orinoco adapter cards. If you have an ISA slot available, you should get an ISA adapter. The ISA card supports the following I/O addresses: 3E2-3E1 (default) and 3E2-3E3.

The PCI adapter works on computers that have the following features:

• PCI 2.2 (or higher) BIOS support

• PC99 compliance

• PCI slots only

The PCI adapter will not work on some older computers that don't meet the BIOS specifications. To use the PCI adapter in Linux, you may have to perform additional configuration in the operating system.

Selecting antennas

If you are setting up your wireless LAN among several computers in close proximity to each other, you may not need an additional antenna. To deal with obstructions and longer distances, however, you can add indoor or outdoor antennas to your wireless hardware.

Again, because I have been discussing Orinoco wireless PC cards, I will illustrate different types of indoor and outdoor antennas that are compatible with those cards.

Choosing equipment

Start with two computers. (You can add more computers later, once you understand how to get your wireless interfaces working.) For this procedure, I used computers that had the following characteristics (you can use different computers and cards, if you like):

• Computers — One computer was a laptop with an available PCMCIA slot; the other was a desktop system with only PCI slots.

• Wireless cards — As I mentioned earlier, I purchased two Proxim (Lucent Technologies) Orinoco wireless LAN cards: one Gold Label and one Silver Label. For the desktop computer, I purchased a PCI adapter card because it had no PCMCIA slot. Both cards come with built-in antennas, so I had no need for additional antennas while setting up the two computers (in the same room) for wireless communication.

  Note?

  The only difference between the Gold and Silver Label cards is that the Gold card offers support for more secure encryption, so there was no reason for me to choose two different types of cards. If I had it to do over again, I would have used two Silver cards and saved a few dollars.

• Red Hat Linux — I installed Red Hat Linux on both machines, selecting a personal desktop install for the laptop and an Everything install for the desktop computer. (The Everything install was not strictly necessary, but I wanted to be able to use the GUI and various server features.)

Because I was using the desktop computer as a gateway to the Internet, that computer also had a wired Ethernet card that was connected to my DSL modem to provide a route to the Internet for any computers on my wired or wireless networks.

Inserting wireless cards

To physically install the wireless cards, follow the directions that come with the cards. For my laptop, I simply inserted one Orinoco card into a PCMCIA slot. For the desktop computer, I powered down, inserted the PCI adapter into a vacant slot, powered up, and inserted the other Orinoco PCMCIA card into the adapter.

Loading the modules

The cardmgr daemon monitors the PCMCIA slots on computers that have them. If a card is recognized and listed in the PCMCIA database when the card is inserted, the appropriate module is loaded. You should also hear two beeps indicating that the card has been recognized.

On my laptop, my Orinoco wireless card was recognized and its modules loaded. On my desktop computer (with the PCI adapter), the card was not recognized, so I had to do some extra configuration.

# lsmod
Module            Size Used by      Not tainted
orinoco_cs        5640  1
orinoco          34368  0  [orinoco_cs]
hermes            5344  0  [orinoco_cs orinoco]
ds                8608  1  [orinoco_cs]
yenta_socket     12384  1
pcmcia_core      50752  0  [orinoco_cs ds yenta_socket]

PCMCIA with adapter card

If your computer has only ISA or PCI slots, you will need an adapter to use your PCMCIA wireless LAN card. Red Hat Linux detected my adapter card and added the following lines to the /etc/sysconfig/pcmcia file so that the PCI adapter card would be recognized and the PCMCIA service would start automatically at boot time:

PCMCIA=yes
PCIC=yenta_socket

The yenta_socket driver is a PCMCIA controller driver that includes the Yenta register specification. Yenta is used for CardBus bridges made by Cirrus Logic for a variety of manufacturers (Texas Instruments, IBM, Toshiba, and others). The Orinoco PCI adapter was detected as a device using the yenta_socket driver.

Figure 15-10 shows an example of an Orinoco Silver Card using a PCI adapter.

Figure 15-10: The Orinoco Silver wireless LAN card can be used with a PCI adapter (shown here).

Checking that the cards are working

If the modules have been loaded properly, the cardmgr should recognize each card and start up the Ethernet interface for it. To check that this has happened, restart the interface as follows:

# /etc/init.d/pcmcia restart
Shutting down PCMCIA services: cardmgr modules.
Starting PCMCIA services: modules cardmgr.

You should hear a single beep when the card service stops, then two beeps when the adapter and wireless card are properly detected. Check the /var/log/messages file. You should see some messages at or near the end of this file, describing what happened when the PCMCIA interface was shut down and restarted. If the card is detected, you should see modules loaded successfully and a network interface started for the wireless card. Here are some examples:

Feb  9 17:26:33 toys kernel: Linux Kernel Card Services 3.1.22
Feb  9 17:26:33 toys kernel:   options:  [pci] [cardbus] [pm]
Feb  9 17:26:33 toys kernel: PCI: Found IRQ 5 for device 01:09.0
Feb  9 17:26:33 toys kernel: PCI: Sharing IRQ 5 with 00:1f.3
Feb  9 17:26:33 toys kernel: Yenta IRQ list 0000, PCI irq5
Feb  9 17:26:33 toys kernel: Socket status: 10000011
Feb  9 17:26:34 toys cardmgr[2571]: starting, version is 3.1.31
         .
         .
         .
Feb  9 17:26:34 toys kernel: cs: IO port probe 0x0c00-0x0cff: clean.
Feb  9 17:26:34 toys kernel: cs: IO port probe 0x0100-0x04ff: excluding
0x400-0x47f 0x4d0-0x4d7
Feb  9 17:26:34 toys kernel: cs: IO port probe 0x0a00-0x0aff: clean.
Feb  9 17:26:34 toys kernel: cs: memory probe 0xa0000000-0xa0ffffff:
clean.
Feb  9 17:26:34 toys cardmgr[2571]: socket 0: Lucent Technologies
WaveLAN/IEEE Adapter
Feb  9 17:26:34 toys cardmgr[2571]: executing: 'modprobe hermes'
Feb  9 17:26:34 toys cardmgr[2571]: executing: 'modprobe orinoco'
Feb  9 17:26:34 toys cardmgr[2571]: executing: 'modprobe orinoco_cs'
Feb  9 17:26:34 toys cardmgr[2571]: executing: './network start eth1'
Feb  9 17:26:34 toys /etc/hotplug/net.agent: invoke ifup eth1

The preceding code shows that the kernel recognizes the PCI card (at IRQ 5). The cardmgr identifies the Orinoco card as a WaveLAN/IEEE adapter in socket 0. The network script starts an Ethernet interface (eth1).

If the wireless LAN interface started properly, you should be able to see the new interface by using the iwconfig command. The following is an example of output from the iwconfig command:

eth1   IEEE 802.11-DS  ESSID:""  Nickname:"HERMES I"
       Mode:Managed  Frequency:2.457GHz  Access Point: 00:00:00:00:00:00
       Bit Rate:11Mb/s   Tx-Power=15 dBm   Sensitivity:1/3
       Retry limit:4   RTS thr:off   Fragment thr:off
       Encryption key:off
       Power Management:off

If your wireless LAN interface does not appear to be working, refer to the section "Troubleshooting a wireless LAN" later in this chapter. If the interface does seem to be working, you are ready to tune your wireless LAN card interface and set up TCP/IP to be able to use the interface.

Configuring the wireless interface

The Network Configuration window (neat command) can be used to configure wireless Ethernet card interfaces, as well as regular wired Ethernet cards. The following procedure describes how to configure a wireless Ethernet card using the Network Configuration window.

1. Start the Network Configuration. From the Red Hat menu, click System Settings ? Network, or, as root user from a Terminal window, type neat. The Network Configuration window appears.

2. Click the New button. The Select Device Type window appears.

3. Click Wireless connection and Forward. The Select Wireless Device window appears.

4. Click your wireless card from the list of cards shown, and click Forward. The Configure Wireless Connection window appears, as shown in Figure 15-11.

   
   Figure 15-11: Add a wireless interface using the Network Configuration window.

5. Add the following information and click Forward:

   • Mode — Indicates the mode of operation for the wireless LAN card. Because I am setting up a wireless LAN consisting of only one cell (in other words, with no roaming to cells set up in other areas), I could set the mode to Ad hoc. Ad hoc mode allows the card to communicate directly with each of its peers. You can use Managed mode if you have multiple cells, requiring your card to communicate directly to an access point. You can also use Managed mode for a point-to-point network, such as when you use the wireless LAN to extend a network from one building to another.

   • Network Name (SSID) — The network name (or Network ID) that identifies cells that are part of the same network. If you have a group of cells (which might include multiple nodes and repeaters among which a client could roam), this name can identify all of those cells as falling under one virtual network. Choose any name you like and then use that name for all computers in your virtual network. (SSID stands for Service Set ID.)

   • Channel — Choose a channel between 1 and 14. You can begin with channel 1; if you get interference on that channel, try changing to other channels.

   • Transmit Rate — Choose the rate of transmission from the following rates: 11M, 5.5M, 2M, 1M, or Auto. Choosing Auto allows the interface to automatically ramp down to lower speeds as needed. Lower speeds allow the interface to transmit over greater distances and deal with noisy channels.

   • Key — You need the same encryption key for all wireless LAN cards that are communicating with each other. It is critical to get this value right. This key is used to encrypt all data transmitted and decrypt all data received on the wireless interface. You can enter the number (up to 10 digits) as XXXXXXXXXX or XXXX-XXXX-XX (where each X is a number), for example, 1234-5678-90.

   A Configure Network Settings window appears.

6. You can enter the following information:

   • Automatically obtain IP address settings with: If you want to get your IP address from a DHCP server, click this box and the rest of the information is obtained automatically. Otherwise, set the IP address statically using the other options.

   • Host name: If you are using DHCP, you can optionally add a host name to identify this network interface. If none is entered here, the output from the /bin/hostname command is used.

   • Statically set IP addresses: Click here to manually set your IP addresses.

   • Address: If you selected static IP addresses, type the IP address of this computer into the Address box. This number must be unique on your wireless network.

   • Subnet Mask: Enter the netmask to indicate what part of the IP address represents the network. (Netmask is described later in this chapter.)

   • Default Gateway Address: If a computer on your wireless LAN is providing routing to the Internet or other network, type the IP address of the computer here.

7. Click Forward to see a listing of the information you just entered.

8. Click Apply to complete the new wireless network interface.

9. Click File ? Save (on the main window) to save the interface.

This procedure creates an interface configuration file in your /etc/sysconfig/network-scripts directory. The name of the configuration file is ifcfg- followed by the interface name (such as eth0, eth1, and so on). So, if your wireless card is providing your only network interface, it would be called ifcfg-eth0.

Using any text editor, open the ifcfg-eth? file as root user. The following is an example of an ifcfg-eth1 file:

# Please read /usr/share/doc/initscripts-*/sysconfig.txt
# for the documentation of these parameters.
USERCTL=no
PEERDNS=no
GATEWAY=10.0.0.1
TYPE=Wireless
DEVICE=eth1
HWADDR=00:02:2d:2e:8c:a8
BOOTPROTO=none
NETMASK=255.255.255.0
ONBOOT=no
IPADDR=10.0.1.1
NAME=
DOMAIN=
ESSID=
CHANNEL=1
MODE=Ad-Hoc
KEY=9900-0000-00
RATE=11Mb/s
NETWORK=10.0.1.0
BROADCAST=10.0.1.255

In this example, the wireless card's hardware (MAC) address is automatically set to 00:02:2d:2e:8c:a8. (Your MAC address will be different.) The interface is not yet set to come up at boot time (ONBOOT=no). The interface device is eth1 (which matches the interface filename ifcfg-eth1), because this particular computer has another Ethernet card on the eth0 interface. The interface type is set to Wireless.

Other information in the file sets standard TCP/IP address information. The NETMASK is set to 255.255.255.0 and the IP address for the card is set to 10.0.1.1. The broadcast address is 10.0.1.255.

You can also set many options that are specific to your wireless network in this file. The following is a list of some additional options that you might want to set:

• NWID — Identifies the name of this particular computer on the network. The computer's host name (determined from the uname -n command) is used by default if you don't set it with NWID.

• FREQ — You can choose a particular frequency in which to transmit. No value is required, because selecting a channel implies a certain frequency. If you do enter a frequency, the value must be a number followed by a k (kilohertz), M (megahertz), or G (gigahertz). The default values for the channels you select range from 2.412G (channel 1) to 2.484G (channel 14), with other channels occurring at increments of .005G. The default is 2.422G.

• SENS —You can select the sensitivity level of the access point. SENS can be set to 1 (low density), 2 (medium density), 3 (high density). The default is 1. The sensitivity threshold has an impact on roaming.

  Caution?

  The encryption algorithm used with 802.11 networks is the Wired Equivalent Privacy (WEP) algorithm. Though using the encryption key is more secure than not using it, some experts feel that WEP has some inherent flaws that might allow a drive-by hacker to decrypt your wireless LAN traffic. For that reason, I strongly recommend using additional techniques to protect your wireless LANs, such as firewalls and diligent log-checking. See the "Wireless Security" sidebar for further information.

Besides those options just shown, you can also pass any valid options to the iwconfig command (which actually interprets these values), by adding an IWCONFIG option to the configuration file. Display the iwconfig man page (man iwconfig) to see all wireless options. Also view the /etc/sysconfig/network-scripts/ifup-wireless script to see how the options you just added are processed.

net.ipv4.ip_forward = 1

Repeat this procedure for each wireless Red Hat Linux computer on your LAN. At this point, your wireless network should be ready to go. Restart your network, as described in the following steps, to make sure that it is working.

Activating the wireless interfaces

To immediately activate the wireless interface you just configured, click on the Wireless entry on the Network Configuration window and click the Activate button. After a few seconds, the Status should appear as Active.

To have the interface start when you reboot your computer, click the wireless interface from the Network Configuration window and select Edit. From the Wireless Device Configuration window that appears, click the box next to "Activate device when computer starts."

If you want to explicitly enter a Network Name (SSID), click the Wireless Settings tab on the Wireless Device Configuration window. From there, select Specified, type the network name (any name you choose to match others on your wireless network), and click OK.

Be sure to save your changes on the Network Configuration window by clicking File ? Save.

Checking your wireless connection

Your wireless LAN interface should be operating at this point. If another wireless computer is available on your wireless network, try communicating with it using the ping command and its IP address (as described in the " Can you reach another computer on the LAN?" section further in this chapter).

If you are not able to communicate with other wireless nodes or if transmission is slow, you may have more work to do. For example, if you see messages that say "Destination Host Unreachable," instead of the output shown earlier, refer to the section on "Troubleshooting a wireless LAN" for help. If you want to fine-tune your wireless interface, refer to the "Manually configuring wireless cards" section later in this chapter.

Wireless Security

The Wireless Ethernet Compatibility Alliance (WECA) has recommended changes in response to security concerns about wireless networks. They did this because, unlike wired networks, which can often be physically protected within a building, wireless networks often extend beyond physical boundaries that can be protected.

The Wireless Equivalent Privacy (WEP) standard adds encryption to the 802.11 wireless standard. WECA refers to WEP as its way of providing "walls" that make wireless Ethernet as secure as wired Ethernet. However, you need to implement WEP, as well as other security methods that would apply to any computer network, in order to make your wireless network secure. Here are WECA's suggestions:

• Change the default WEP encryption key on a regular basis (possibly weekly or even daily). This prevents casual drive-byhackers from reading your encrypted transmissions.

• Use password protection on your drives and folders.

• Change the default Network Name (SSID).

• Use session keys, if available in your product (session keys are not supported in current Linux wireless drivers).

• Use MAC address filtering (supported in a limited way in Linux).

• Use a VPN (Virtual Private Network) system, which can add another layer of encryption beyond that which is available on your wireless network.

For larger organizations requiring greater security, WECA suggests such features as firewalls and user-verification schemes (such as Kerberos). As I mentioned earlier in this chapter, features for protecting from intrusions and restricting services are already built into Red Hat Linux. Refer to the descriptions of security tools in Chapters 14, 15, and 16 for methods of securing your network, its computers, and their services. In particular, you could consider adding a VPN such as CIPE (described in Chapter 16) to further secure all data sent on your wireless LAN.