Sharing connection through a secondary unprotected WLAN with only one station
Nowadays, our DSL connections are good enough, and most of the time the bandwidth gets wasted, as we are not using it. Sometimes we wouldn't mind in sharing our connection with our neighbours for free, but the usual way is leaving our AP unprotected, so they are able to reach it without a password. This solution is easy, but we lose the traffic protection that WPA bring us.
In this article, I'll show how to create a secondary unprotected WLAN in our AirOS APs, show we can keep on feeling good and secure, while the neighborhood can enjoy the free remaining bandwidht. After following these steps, our AP will provide the next connections:
- WPA Protected WLAN, bridge to the DSL router
- Unsecured WLAN, bridge to the DSL router
Both networks will operate on the same channel, as we have only one wireless device and it have to operate on a fixed channel.
The AirOS firmware is, in essence, a customized version of Linux. In fact, we can get the SDK that includes all the source code (and some disabled extras) that make our stations work. These facts allow us to program our stations and change them in the same way we could change our favourite Linux distribution.
In this case, we won't need to get the SDK, as we'll only connect through SSH to our AP and type in some commands. We'll use the madwifi tools included in the firmware - that provide a driver for the integrated wireless hardware - to create a new virtual device. This new device will work in AP-bridge mode, just in the same way our WPA protected device can work.
I like it. Let's start!
The first step to make our new configuration work is setting WPA protection for the AP through the AirOS web interface the usual way. If you don't know how to do this, you should start reading the AirOS
article before going on.
To configure the second WLAN, we need shell access to the Station. We can enable it in the Services tab, checking the "Enable SSH Server" box. Apply the changes and try the connection with your favourite SSH client. You can use PuTTY in Windows (http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe
) or 'ssh' in Linux.
If you are using Windows, open the PuTTY client and enter the station IP. If you are using Linux, open a Terminal and type in 'ssh ubnt@stationIP'. You'll have to enter the same user and password you use in the web interface.
Once we're inside the shell, we'll see something like this:
luismi@bender:~$ ssh firstname.lastname@example.org email@example.com's password: BusyBox v1.01 (2009.04.18-20:08+0000) Built-in shell (ash) Enter 'help' for a list of built-in commands. XS2.ar2316.v3.3.2.SDK.090418.2203#
Now we are inside the shell, and we can type in some commands. We'll start creating the new virtual device. To do this, we'll use the tool 'wlanconfig'. Let's see:
XS2.ar2316.v3.3.2.SDK.090418.2203# wlanconfig usage: wlanconfig wlanX create wlandev wifiX wlanmode [sta|adhoc|ap|monitor|wds] [bssid | -bssid] [nosbeacon] usage: wlanconfig wlanX destroy As we can see in the syntax, we have to provide the new wlan device name, the base wifi device and the operating mode. We'll type in the next command to create the device 'ap0', attached to the physical device 'wifi0' in ap mode:
XS2.ar2316.v3.3.2.SDK.090418.2203# wlanconfig ap0 create wlandev wifi0 wlanmode ap ap0 XS2.ar2316.v3.3.2.SDK.090418.2203# Now, we have a new virtual device, attached to the wireless card. Now we'll configure the essid, channel and bridge. After that, we'll bring it up:
XS2.ar2316.v3.3.2.SDK.090418.2203# iwconfig ap0 essid FreeInternet channel 8 XS2.ar2316.v3.3.2.SDK.090418.2203# iwconfig ap0 key off open XS2.ar2316.v3.3.2.SDK.090418.2203# iwpriv ap0 authmode 1 XS2.ar2316.v3.3.2.SDK.090418.2203# iwpriv ap0 ap_bridge 1 XS2.ar2316.v3.3.2.SDK.090418.2203# brctl addif br0 ap0 XS2.ar2316.v3.3.2.SDK.090418.2203# ifconfig ap0 up With only these small bunch of commands, the new wlan should be operating and bridging to the Internet connection, and the usual WPA protected wlan should be working as well. We can take a look to the Wireless Networks list in our laptop, and confirm everything is working connecting to it.
If everything was right, we should be enjoying Internet through the new unprotected wlan. Once we have reached this point, we have to make the changes persistent. If not, everytime we reboot the station, we'll need to configure it.
The AirOS firmware has a place where we can put our scripts, and they'll get executed everytime the station is booted. This place is located in the folder /etc/persistent, and the script that gets loaded everytime is called rc.poststart. Normally, we won't find it, as the default AirOS installation doesn't use it, but we can create it and it'll work as well.
To create the script, we'll type in the following commands:
XS2.ar2316.v3.3.2.SDK.090418.2203# cd /etc/persistent XS2.ar2316.v3.3.2.SDK.090418.2203# echo "#!/bin/sh" > rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "wlanconfig ap0 create wlandev wifi0 wlanmode ap" >> rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "iwconfig ap0 essid FreeInternet channel 8" >> rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "iwconfig ap0 key off open" >> rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "iwpriv ap0 authmode 1" >> rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "iwpriv ap0 ap_bridge 1" >> rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "ifconfig ap0 up" >> rc.poststart XS2.ar2316.v3.3.2.SDK.090418.2203# echo "brctl addif br0 ap0" >> rc.poststart During my tests, I've found some reliability problems with this configuration. It seems the WLAN sometimes stop accepting connections. The situation seems to get solved with some extra tuning to the new virtual driver. If you experiment these problems, you can try to add these parameters to the script:
iwpriv ap0 ff 0 iwpriv ap0 burst 0 iwpriv ap0 compression 0 iwpriv ap0 wmm 1 iwpriv ap0 wmmlevel 0 iwpriv ap0 set_roaming 1 iwpriv ap0 addmtikie 1 iwpriv ap0 wds 0 iwpriv ap0 autowds 0 iwpriv ap0 hide_ssid 0
Once this is done we should check that everything worked, checking the contents of the rc.poststart file (if you have added the extra parameters, you'll have them in the rc.poststart script as well):
XS2.ar2316.v3.3.2.SDK.090418.2203# cat /etc/persistent/rc.poststart #!/bin/sh wlanconfig ap0 create wlandev wifi0 wlanmode ap iwconfig ap0 essid FreeInternet channel 8 iwconfig ap0 key off open iwpriv ap0 authmode 1 iwpriv ap0 ap_bridge 1 brctl addif br0 ap0 ifconfig ap0 up XS2.ar2316.v3.3.2.SDK.090418.2203# Everything is in it's place, and the connection is working. So we only need to commit the changes, so it won't get lost after rebooting the ap. Let's type in this command:
XS2.ar2316.v3.3.2.SDK.090418.2203# cfgmtd -p /etc -w Storing Backup ... [%100] Storing Active ... [%100] XS2.ar2316.v3.3.2.SDK.090418.2203# After this, we are ready to reboot our AP and check that everything is working. Let's do it:
XS2.ar2316.v3.3.2.SDK.090418.2203# reboot Connection to 192.168.2.3 closed by remote host. Some seconds after the reboot, we can check the Wireless Networks list in the laptop again. If everything worked, we should see the two access points that our station is providing: the WPA protected, and the unsecured one.
That's all, folks
In this article we have learned how to create a new virtual Access Point to share our connection without leaving our personal connection unprotected. In forthcoming articles we'll learn how to limit the Free AP throughput, maybe our neighbors like P2P too much, and they'll kill our connection in order to watch the last Lost chapter.