I recently moved my wireless network at home to my Cobia server. I'd previously had it hanging off of a Linksys router connected to my DSL modem, but I didn't have nearly as much control over the firewalling functions as I'd like. The Linksys box is a perfectly acceptable as a consumer level firewall and does what my father or grandmother might need, but doesn't give me quite the capabilities I need. And if you're reading this blog, you need a bit more control and capabilities than a consumer router is going to give you.
Moving to my AP over to my Cobia server only took a few minutes. Obviously, the first thing to do was set up the Cobia server. I have a small pool of static IP addresses from my ISP, so I assigned the external interface, eth0, one of these. If you're getting your IP from a DHCP pool provided by your ISP, you'll need to read KC's article on setting up a DHCP client on your system. My ISP provided me with the important information such as default gateway and DNS servers, as do most ISP's. I've found most ISP's to have a pretty good FAQ about setting up your internet access, but your mileage may vary.
The next step was to set up the internal interface for the wireless router. I chose to use the 2.0.0.0/24
subnet, but any of the bogon networks would have worked. I'm using it as a class C subnet because I will eventually have additional hosts in a DMZ off of the Cobia server. If I wasn't, I'd use a /29, subnet mask, which makes the network 2.0.0.0, the Cobia firewall internal interface 2.0.0.1 the AP 2.0.0.2 and the broadcast address 2.0.0.4. I like limiting it to the bare minimum IP address usage so no other hosts can be added to the subnet. Not that this is too likely in your home network, but it's a good habit to stay in for when you're working on the corporate network.
After that, you need to set up SNAT'ing on the Cobia firewall, which I covered on the blog last month. The AP needs to plug into eth1 on on the Cobia server and and one of the switched ports on the AP. This allows you to have the AP forward any DHCP requests to the Cobia server rather than using the DHCP capabilities of the AP. You need to plug Cobia into a switched port rather than the WAN port, because the AP won't pass DHCP requests through the WAN port. When you initially plug your computer the AP's switched ports for configuration, it should provide you with a 192.168.0.x address. Turn off the DHCP service on the AP and use the DHCP service on the Cobia server instead. Your Cobia firewall's internal interface will be the default gateway and the DNS information will have been provided by your ISP.
Be sure to use the best encryption you can on the AP, at the very minimum WPA Personal. This is what I had to use because of the built in wireless on my HP laptop won't work with WPA2. WPA is not bulletproof, but it's a lot better than WEP. A script kiddy could break WEP in 10-20 minutes, where as I've been told WPA takes at least a week. WPA2 hasn't been cracked yet, to the best of my knowledge, but it's not supported by all vendors.
After that, it should just be a matter of setting up the wireless connection on your laptop or desktop. My children's computer is in another room of the house and I didn't feel like running a cable. More accurately, my wife wasn't willing to let me drill more holes in the floor or walls to run cables. The wireless works great for them and I'm hoping to move the wife's computer to the wireless network and out of my office soon.
Questions or comments? Send an email to cobia@stillsecure.com or leave a comment on the blog. Let us know if this has been helpful to you.
I cant wait to try this - I wonder how successful this would be in working with the FreeRadius and a few other products.
I have done much work with OpenWRT --- but this product is so much better...
http://churchmedic.com/openwrt/
Imagine a product churches and other non-profits could put into place ... (like universities, schools, etc...) that would allow access - but protect the network... and manage what users see... and cannot.
Posted by: Glenn Kelley | June 25, 2007 at 08:10 PM