Objective
I decided to get a wireless network card for my OpenBSD machine instead of buying an access point. Having an access point just seems limiting to me. I decided to is get a wireless PCI card so I can just add it to the existing machine I have doing packet filtering with PF and NAT for my internal network on my cable modem. This would give me one hard-wire interface connected to my cable modem, one hard-wire interface to a hub, and one wireless card in the gateway machine.
The Part
Cisco Aironet 352 PCI adapter with the pcmcia card built in from ebay.
Kernel Configuration
I have a custom built kernel in OpenBSD 3.1, so I had to go back to my kernel configuration file, add the following line, and recompile:
an* at pci? dev ? function ? # Aironet IEEE 802.11DS
If you have a laptop and just the pcmcia card, you should probably use:
an* at pcmcia? function ? # Aironet IEEE 802.11DS
If you are running the kernel that came with the default installation of OpenBSD, you don't need to worry about adding an* because it is there already.
The Utility
OpenBSD already has the utilities to configure the computer, in this case, you need ancontrol. For wireless cards made by people other than Cisco, you'll probably need wicontrol and this page won't help you much because it uses different configuration options.
Setup
Device ep1:
Device an0:
You'll need to add a file to /etc to give your wireless device an IP and subnet assignment:
echo "inet 192.168.1.1 255.255.255.0 NONE" > /etc/hostname.an0
DHCPd
I also want to run DHCP on both devices ep1 and an0. That way when I take my laptop back and forth from home, I don't have to set a static IP. DHCP just makes things easier. I statically assign my IPs so when I need to ssh or scp into another machine, I don't have to hunt around.
In the case of the wireless device, I only want to assign a DHCP address for my laptop. I live in an apartment complex and don't want just anyone using my bandwidth. The other issue I have is that if I want to dish out IPs for two different devices, I have to have a special configuration in /etc/dhcpd.conf.
Edit /etc/dhcpd.interfaces so that it has both your hard-wire and wireless interfaces. Mine says:
ep1 an0
Edit /etc/dhcpd.conf to add another network. Mine says:
shared-network LOCAL-NET {
option domain-name "goodmeat.net";
option domain-name-servers 204.145.251.1, 205.128.118.1, 205.128.118.2, 4.2.2.2, 4.2.2.3, 128.83.185.40;
# this is wireless
subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
host laptop {
hardware ethernet 00:14:3A:56:6A:D8;
fixed-address 192.168.1.2;
option host-name "laptop";
}
}
}
shared-network LOCAL-NET2 {
option domain-name "goodmeat.net";
option domain-name-servers 204.145.251.1, 4.2.2.2, 205.218.118.1, 208.180.0.2, 206.76.228.23, 128.83.185.40;
# this is hard-wired
subnet 192.168.0.0 netmask 255.255.255.0 {
option routers 192.168.0.1;
range 192.168.0.100 192.168.0.155;
host mariann {
hardware ethernet 00:B0:F2:54:CA:D6;
fixed-address 192.168.0.3;
option host-name "mariann";
}
host oats {
hardware ethernet 00:A3:D2:34:AC:E8;
fixed-address 192.168.0.2;
option host-name "oats";
}
host bogus {
hardware ethernet 00:A0:F6:59:CD:D6;
fixed-address 192.168.0.4;
option host-name "bogus";
}
}
}
Notice the hard-wired network allows additional IPs to be assigned other than those which I have assigned statically. The wireless configuration only knows to allow one specific MAC to have an IP. This can easily be circumvented by having someone set their machine to 192.168.1.3 statically and use 192.168.1.1 as the gateway. The average person isn't smart enough to figure that out, so I'm not too worried about bandwidth leeches.
If you've been following along and haven't rebooted yet, now is probably a good time.
Using ancontrol
By default, your card will work in infrastructure mode. That's not what you want. You need ad-hoc, which means if it doesn't find an access point in the area, it declares itself to be an access point.
You will need the MAC address of your wireless card. Get it by doing:
ancontrol -S
These options will give the most basic operation for your card to be an access point:
ancontrol -n OpenBSD
ancontrol -m (the MAC you got from -S here)
ancontrol -l OpenBSD
ancontrol -o 0
I am not going to explain what those do because now is a good time for you to read the ancontrol man page, just so you're clear about what's going on. It's wasteful of my time to rewrite the manual.
It might be a good idea to make a script out of it so you don't have to type it on every boot:
#!/bin/sh
ancontrol -n OpenBSD
ancontrol -m xx:xx:xx:xx:xx:xx
ancontrol -l OpenBSD
ancontrol -o 0
That last line spoken is -lowercase oh space zero.
Wired Equivalent Privacy (WEP)
WEP isn't secure, but it's better than broadcasting all your traffic to the neighborhood in plaintext. From ancontrol(8):
WEP ("wired equivalent privacy") is based on the RC4 algorithm, using a
24 bit initialization vector.RC4 is supposedly vulnerable to certain known plaintext attacks,
especially with 40 bit keys. So the security of WEP in part depends on how
much known plaintext is transmitted.
You should look for a IPSEC or SSH tunneling tutorial now if you want some proven security over wireless.
To get WEP enabled with ancontrol, you'll need three more commands. If you live in the US and have a nice encryption limit on your card (128 bit), then you'll want to use a long key, 26 hex characters (0-9, a-f, and A-F), otherwise you use 10 hex characters. Both are prefixed by a 0x (zero ex).
You can set up to 8 keys total, 4 temporary, 4 permanent. See ancontrol(8). The first example is 128 bit, but be smart and pick a more random combination of numbers and letters:
ancontrol -v 0 -k 0x1234567890abcdefABCDEF1234
ancontrol -e 0
ancontrol -W 1
A 40 bit example would look something like:
ancontrol -v 0 -k 0x1e3a5f7890
ancontrol -e 0
ancontrol -W 1
NAT
Now just make sure you have a line like this in your /etc/nat.conf:
nat on txp0 from 192.168.0.0/16 from all -> txp0
That should cover both hard-wired and wireless subnets.
WEP on client WinXP laptop
Go to connection properties for the wireless adapter. Click the wireless networks tab. Click the OpenBSD connection. If it is configured in the bottom window already, click properties for that one. WinXP won't like if you try to configure the existing network from the top window. Click the "Data Encryption (WEP Enabled)" checkbox. Enter the key in the Network Key input field without the 0x prefix, for a total of 26 letters and numbers. Make sure Hexidecimal Digits is selected for key format. The key index, if you used this example is 0 (zero). Click OK to save the settings and then WinXP will reconnect to the gateway.
Additional Resources
Cisco - Configuring Wired Equivalent Privacy (WEP)