This post continues from Part 3: Firewalls

If everything in your house is wired, congratulations, you have a fast, reliable network. You also must have an unlimited data plan on your phone because I've never seen a phone with an ethernet port. For those of us that use wireless devices, we're going to need to add a wireless access point to the router. There's two ways to do this: the easy, reliable, expensive way or the hard, flaky, cheap way. Fortunately you probably already have an old wireless access point lying around so the "expensive" way won't actually cost anything. I'll explain how to do it both ways, but if you have a spare wireless access point I highly recommend taking that route.

Option 1: Commercial access point

Adding wireless to your network is extremely simple if you have an old access point. All you need to do is configure a few options in its admin panel and plug it into the LAN.

First of all you'll need to configure it's IP address. By default commercial access points usually have an IP like 192.168.0.1. Connect an ethernet cable between one of its LAN ports and your machine and then navigate to it's default IP in your browser. You should see its admin panel. Login and meander through the settings until you find the place where you can change its IP address. Mine looks like this:

IP settings for my access point

Set the IP address to something outside of the DHCP range you set up on the router earlier. That way the router won't assign the same IP address to something else on your LAN. Depending on your access point you may or may not have to reboot it now.

Next you need to disable the access point's DHCP server. By default these things usually run a DHCP server, but since you're already running one on your router you don't need another one. Once again flick through the settings until you find the DHCP options and then disable it. Mine looks like this:

DHCP settings for my access point

Again you may or may not have to reboot. Once it's back up and running it should work. Set up a wireless network in the admin panel and then connect one of its LAN ports (NOT the access point's WAN port) to the LAN port of your router. Join the wireless network from one of your devices and make sure it's working.

Option 2: Wireless adapter

Now if you don't have an old access point to spare then ... what were you using before building this router? Regardless, it's possible to add wireless to your router using cheap USB network adapters and some software called hostapd (Host Access Point Daemon). In my experience it has been incredibly flaky though. Every few days the network would just disappear and a total reboot of the router would be needed to get it back. On top of that the signal is weaker and the throughput is worse. That said, maybe you want some extra wireless networks so you can have a guest network, route one through a VPN, or throttle your roommates.

The first step is to add the wireless interface to your network configuration, exactly how you did for the USB to ethernet adapter earlier. Plug in the device and find its name using $> ip link. It should show up in the output if the USB stick is detected properly. Mine shows up as wlxe0ca94701170 but yours will probably be something different:

$> ip link
...
4: wlxe0ca94701170: <BROADCAST,MULTICAST,UP,LOWER_UP> ...  
    link/ether 00:11:22:33:44:55 brd ff:ff:ff:ff:ff:ff

Add another block to your /etc/network/interfaces file to set up the interface:

# Wireless dongle interface
auto wlxe0ca94701170  
iface wlxe0ca94701170 inet static  
  address 192.168.1.1
  network 192.168.1.0
  netmask 255.255.255.0
  broadcast 192.168.1.255

It's exactly the same as the USB to Ethernet dongle interface, but uses a different subnet (192.168.1.0/24). If you want them to share the subnet then search Google for "ethernet bridging". I'm not going to get into that.

Next let's modify the DHCP server to work with the new network. Edit /etc/default/dhcpd.conf and add the new interface to the list of interfaces it should run on:

# /etc/default/dhcpd.conf
INTERFACES="enx0050b617c34f wlxe0ca94701170"  

Then edit /etc/dhcpd/dhcpd.conf and add a new subnet block for it to allocate addresses from:

# wlxe0ca94701170 interface
subnet 192.168.1.0 netmask 255.255.255.0 {  
    range 192.168.1.100 192.168.1.250;
    option subnet-mask 255.255.255.0;
    option broadcast-address 192.168.1.255;
    option routers 192.168.1.1;
}

And finally restart the DHCP server for the new settings to take effect:

$> sudo systemctl restart isc-dhcp-server

You'll also need some new firewall rules to let the new network traffic through. Again these are basically the same as what was needed for the USB to Ethernet adapter, just with a new interface and network. To start, accept traffic from the new network on the router:

$> sudo iptables -A INPUT -i wlxe0ca94701170 -j ACCEPT

Forward traffic from the new network to the WAN:

$> sudo iptables -A FORWARD -i wlxe0ca94701170 -o eth0 -j ACCEPT

And forward traffic from the WAN to the new network if, and only if, the LAN side initiated the connection:

$> sudo iptables -A FORWARD -i eth0 -o wlxe0ca94701170 \
    -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

If you want the separate LAN networks to be able to talk to each other then you'll also have to add a couple more rules that allows the router to forward packets between the two LANs:

$> sudo iptables -A FORWARD -i wlxe0ca94701170 -o enx0050b617c34f \
    -j ACCEPT
$> sudo iptables -A FORWARD -i enx0050b617c34f -o wlxe0ca94701170 \
    -j ACCEPT

Don't forget you'll need to add all these rules to /etc/rc.local to keep them after a reboot.

The last step is to actually install and configure hostapd. Install it as you would any other package:

$> sudo apt-get install hostapd

Next, tell the daemon where to find its configuration file by editing /etc/default/hostapd:

# /etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"  

Then you can add the configuration. Here's what mine looks like along with some comments to explain what everything is doing:

# /etc/hostapd/hostapd.conf

# The interface to run the access point on
interface=wlxe0ca94701170

# The wireless network name
ssid="It hurts when IP"

# Sets up the regulatory domain of the network. This sets
# up things like available channels, transmit power, etc.
# based on the country the network is operating in.
country_code=US

# Enable IEEE 802.11d which actually enforces the policies
# mandated by the country_code.
ieee80211d=1

# WiFi mode to use (a, b or g). The g mode does n too, don't
# panic.
hw_mode=g

# Enable n mode as well.
ieee80211n=1

# The wireless channel to use. Use a WiFi scanner app on
# your phone to find a channel without to much interference
# and choose that one.
channel=3

# Some sort of protocol detail. I dunno, you just need it.
wmm_enabled=1

# Use shared key authentication
auth_algs=1

# Enable WPA2 for authentication and configure the key
# management and encryption types.
wpa=2  
wpa_key_mgmt=WPA-PSK  
rsn_pairwise=CCMP

# Set the password for the network
wpa_passphrase=SuperSecretPassword  

Ok, enable the service, restart it, cross your fingers, and hope it's less flaky for you than it is for me:

$> sudo systemctl restart hostapd
$> sudo systemctl enable hostapd

Now that you've got wireless working you're router should be about on par with a commercial grade consumer router. In the next few posts I'll demonstrate the real benefits of building your own router though. First up will be one of my favorites: running a DNS server to block ads and create custom domain names. Try doing that with a Linksys.

Other Posts in This Series