OpenBSD Journal

Setting up 802.11 Wireless Networks

Contributed by jose on from the wep-doesn't-cut-it dept.

/dev/null writes:
"Hello all the OpenBSD SysAdmins!

I am currently trying to set up 802.11 wireless network with OpenBSD or probably NetBSD.

Have anyone already set up wireless network with OpenBSD or NetBSD?

If anyone of you especially admins who already have fully working 802.11 wireless network, can you share your experience and give some tips?"

"
I'm on a BSD based wireless network right now, but it's a pretty basic setup, nothing suitable for a corporate network. Does anyone want to share their configurations for wireless networks with higher security standards?

(Comments are closed)


Comments
  1. By schubert () on

    My wireless network is not segmented from my regular internal network but rather set up in a transparent bridging situation on the gateway (which has 5 nics) This allows me not have to maintain 2 dhcp servers and it also allows a single point of control (and failure) where I can filter all wireless clients based on ip and mac address. The next step is to implement ipsec.

    Comments
    1. By Anonymous Coward () on

      What kinda WiFI NICs you using?

      I know some don't have the option to do, or support for bridging because the specs have never been released.
      In the meanwhile I'm having to do NAT & BiNAT with mine cause of this. :(

    2. By Anonymous Coward () on

      How do you filter the MAC addresses?

    3. By Anonymous Coward () on

      This also allows for sniffing all traffic as opposed to just wireless traffic. Not a good idea...

    4. By lanshark () alexalmazan@netscape.net on mailto:alexalmazan@netscape.net

      My current front end is Freebsd 4.8 stable with ipfw and Netgear M401 WiFi. I have the PCMCIA slots filled on a small Dell inspiron 500MhZ PIII laptop. One interface is the Cable modem interface, and the second permits all my other WiFi devices to jump onto the net. The problem with this configuration, is that when i bring in other machines that lack a WiFi interface ,I must get them through a Windows 2K server via ICS with DHCP for the Cat 5 only crowd. This server connects into my Freebee laptop via 802.11b to get to the world wide web.
      To remedy this, I have built a multi interface x86 based machine. Two of these interfaces are Cat 5 friendly, and my third interface is WiFi. Open 3.2 identified my Prism2 Card with no problem whatsoever.

  2. By Anonymous Coward () on

    There is no 802.11(a|g) support.

    If you want to know the differences, then do some homework.

  3. By deekayen () on http://openbsddiary.org/

    The answer to your question really depends on the environment you're in.

    I'm in college, and neither my campus nor my friend's campus have WEP enabled so people have open access to the network.

    So there are lots of different configuations, with buts attached.

    If you only give DHCP addresses to people that have their MAC registered with an office somewhere, that keeps a lot of people off the network, but obviously anyone smart enough to set one staticly is going to get on the network.

    You could enable WEP only and that would keep even more people out, but if you had someone walk in with AirSnort, that solution is out the window.

    The best combination I've seen is to register MACs for staticly assigned DHCP addresses and use WEP, IPSec, and authpf for redundant authentication. That still won't stop someone from DoSing your network with AirJack (http://802.11ninja.net) or Fake AP (http://www.blackalchemy.to/Projects/fakeap/fake-ap.html).

    The idea on my campus is to leave the wireless access completely open. It takes all the fun and challenge out of trying to break into the network. We don't have much to hide that's not already behind its own firewall. My friend's campus uses a web based authentication (enter email on a local webserver and leave window open). Only people that know they have to authenticate can get on. It's just a small prevention against wardriving.

    Other than that, I've been happy with Cisco equipment. Just don't upgrade the firmware on cards because the obsd 3.1 kernel doesn't have support for new firmware versions. $200 a card to get Cisco client equipment. I can't vouch for any other hardware.

    Comments
    1. By Anonymous Coward () on

      FYI, Fake AP isn't a DoS attack program. It helps to obscure an AP.

      Comments
      1. Comments
        1. By Anonymous Coward () on

          So if I don't know the hostname or IP address of a server that I want to connect to, it's a DoS?

          Comments
          1. By Anonymous Coward () on

            Denial of Service... if you cant find the service, its not to your disposal and thus "denied".

            Comments
            1. By Alex () alex@wnc.or.at on mailto:alex@wnc.or.at

              Hmm its not a really DoS but I think the effect is nearly the same.

  4. By Anonymous Coward () on

    Why yes, I'd absolutely love to type up a book right here on the spot so that you don't have to do any work on your own. We wouldn't want you to research the subject yourself, or even take 10 seconds to find one of dozens of how-tos on the subject.


    Comments
    1. By click46 () click46@operamail.com on www.genmay.net

      amen
      I have a sinking feeling the editorial staff here at deadly is scarficing quality for quantity. at least thats the impression I've been getting lately.

      Comments
      1. By Anonymous Coward () on

        So why are you here?
        If you are not happy about this forum, just piss off or stop posting things nothing to do with OpenBSD.

        AMEN

    2. By Anonymous Coward () on

      This kind of attitude helps no one.

  5. By Patrick Myers () patrick@myers.net on mailto:patrick@myers.net

    I had the same question about two months ago. After digging all over the place and a lot of trial and error, I finally got one of my OpenBSD boxes acting as a gateway.

    I started the IPSec thread on screaming electron mentioned earlier and I'll cross post this there later today. Though I haven't gotten to IPSec yet (been distracted), here's what I've put together about just getting stuff set up.

    http://www.idiotblocks.com/patrick.myers.net/how-tos/index.php

    It is by no means exhaustive and as always, YMMV.

    Comments
  6. By Philip Munts () phil@munts.net on mailto:phil@munts.net

    I administer a couple of wireless networks. I've
    had uniformly bad experiences with different wireless routers (they all seem need to be power
    cycled periodically). I now use cheaper WAP's
    (Wireless Access Points) connected to dedicated
    NIC's in each OpenBSD firewall box. I feel like I
    I get better routing granularity using pf rather
    than the dedicated routers anyway.

    Comments
    1. By Arrigo Triulzi () on http://www.alchemistowl.org/~arrigo

      An interesting comment - would you care to suggest some brands you have had success with? There are so many on the market that so far the people I work for have been considering "same brand" (ie. all the cards are 3Com so we buy 3Com WAPs).

  7. By Anonymous Coward () on

    There is only one secure way: use host-based IPsec. Filter out everything else.

    Comments
    1. By Anonymous Coward () on

      There is only one secure way: use host-based IPsec. Filter out everything else.

      whats wrong with using authpf to allow access?

      Comments
      1. By Anonymous Coward () on

        Authpf doesn't secure the data you transmit, post-authentication.

    2. By Joe () on

      I setup a wap 2 weeks ago. First it was totally open. Then I secured it with 64 bit WEP, now I am using 128 bit WEP. While I realize that WEP 128 bit can be cracked in about 30 minutes or less (pizza time), I have not had any success with ipsec. I have read the faq from NetBSD, FreeBSD, and open BSD. I use netstat -sn -p ipsec to see what is going on and I keep seeing "packets out success" packets in failed, something to that effect. It seems that the packets go out okay, but when they get to the other point they are not okay.

      Is it possible to use ipsec and wep togeather?

      If so how any ideas? I understand ipsec in theory, but am not able to get 2 boxes to talk togeather using it.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]