# wireless

## Tie yourself together

Over and over again, I’ve seen people fix some wireless-related problem and go “wow, I had no idea how much better this could be!” • Wireless protocols often silently operate in an extremely degraded state that makes them substantially worse than wired equivalents.

I live in an apartment building that is located within the city core of my city. When I scan for WiFi networks I can see at least 25 from my main workstation. On my laptop, standing in the middle of the front courtyard, you can see at least 40 networks. Mind you, this is only WiFi networks; I’m not including everything else that might be using the 2.4 GHz spectrum, like Bluetooth or other kinds of wireless devices.

I switched to wired devices a long, long time ago precisely of unreliable connections, network lag, and the fact that WiFi optimization is more of an art than any sort of science, and that’s before you bring in newer WiFi versions. I just recently rewired my apartment to have Ethernet all over and be able to throw around 4K media with abandon.

Now if only the USB Implementers Forum would get its shit together, that’d be awesome

## Dell Wireless 1703 on Windows Server 2019

Recently at work I had to install this OS (with the Desktop Experience feature set) on a Dell XPS 8700. Windows was able to recognize everything properly and all components but the network adapter would show up in Device Manager. Tried the usual things to fix this:

• Installing the driver from Dell; it would install but Windows would fail to make use of it.
• Updating the driver using “Search automatically for updated driver software”. This would fail with Windows complaining about an issue with the INF.
• Manually pick a driver from the filesystem. It would also fail with an error about the INF.

Looked at the INF file but there wasn’t anything in it that would make Windows Server just up and refuse to install the thing, and given there isn’t that much difference between Windows 10 and Windows Server the issue had to lie elsewhere.

There is one thing that Windows 10 does, however, and that’s automatically start WLAN services, since usually you’d see Windows Server be installed on enterprise hardware or have it connected to the network via Ethernet. Turns out Windows Server does not even install this feature on its own.

To install it:

1. Click Start button.
2. Type “Turn features on or off”.
3. Click Next 4 times (Before you Begin, Installation Type, Server Selection (which defaults to the local server), and Features.
4. On the Features selection list, scroll down to Wireless LAN Service and select it.
5. Click Install and wait for the OS to do its thing.
6. Reboot system. This is required for it all to work.

After the system comes back up the network adapter should be installed and enabled in Device Manager.

Ah, right… in addition to this it turns out the “Dell Update Application” totally does not work under this OS so you have to manually download and install all device drivers; this took me a couple of hours, so mind your clock.

## A Debian Wifi Router: THE REBOOT

Just like a Hollywood movie, it’s time to do a reboot. Fucking around with the networking stack after every reboot got old real fast. But this time around it looks like the remake is actually better than the original.

The router is still my trusty Thinkpad T60. Other than a couple of scares because of its age it still works! Just need to replace the CPU fan sooner rather than later.

Sources for this were:

Yes, this writing assumes you know what you’re doing on the command line.

## Install Operating System

Whatever your version of Debian is, make sure that it’s up to date and that you install the stuff you’ll need:

# aptitude install hostapd rfkill dnsmasq fail2ban


Switched away from BIND and ISC-DHCP because they’re a pain in the ass to deal with. Maybe in the future I’ll use them again, but for the time being… this will do the trick.

Something I keep doing and forgetting to document is changing sshd port from 22 to something else and switching from password authentication to key-based authentication. Fail2ban is useful in blocking people trying to force their way in.

## Networking

I had to add both wlan0 and wlan1 manually. Why? Dunno. I suppose they only get added automatically when you’re installing Xorg, which I’m not. Here’s my /etc/network/interfaces:

# This file describes the network interfaces available on your system

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet dhcp

# Intel PRO/Wireless 3945ABG (Golan) Rev 02
#auto wlan0
#allow-hotplug wlan0
#iface wlan0 inet dhcp

# Qualcomm Atheros AR922X Wireless Network Adapter (rev 01)
auto wlan1
allow-hotplug wlan1
iface wlan1 inet static


## iptables

Edit /etc/sysctl.conf and uncomment the line for ipv4 packet forwarding:

net.ipv4.ip_forward=1


Create /etc/network/if-pre-up.d/iptables with the following contents:

#!/bin/sh
/sbin/iptables-restore < /etc/network/iptables


Change permissions and make executable:

# sudo chown root /etc/network/if-pre-up.d/iptables
# chmod 755 /etc/network/if-pre-up.d/iptables


Create /etc/network/iptables and put the following in it:

*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
# eth0 is WAN interface
-A POSTROUTING -o eth0 -j MASQUERADE

COMMIT

*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]

# Forward traffic from wlan0 (LAN) to eth0(WAN)
-A FORWARD -i wlan0 -o eth0 -j ACCEPT

# Service rules
-A INPUT -j ACCEPT

# Forwarding rules
-A FORWARD -j ACCEPT

COMMIT


This part remains unchanged from my the initial post. If you want it to do a more thorough job of filtering packets the Ars post is a good place to start.

## dnsmasq

Edit /etc/dnsmasq.d/local.conf:

# If you don't want dnsmasq to read /etc/resolv.conf or any other
# file, getting its servers from this file instead (see below), then
# uncomment this.
no-resolv

bogus-priv

# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=wlan1

# Uncomment this to enable the integrated DHCP server, you need
# to supply the range of addresses available for lease and optionally
# a lease time. If you have more than one network, you will need to
# repeat this for each network on which you want to supply DHCP
# service.
dhcp-range=192.168.1.1,192.168.1.100,24h

# Set nameservers to use
server=192.168.1.1
server=8.8.8.8
server=8.8.4.4
server=208.67.220.220


Then restart the service with # service dnsmasq restart.

Much, much simpler than trying to configure both BIND and ISC-DHCP just for local networking. The options I included are pretty self-explanatory. If you're going to be assigning IP addresses on more interfaces, make sure to add them.

## hostapd

The great big bad. If your card doesn't support Master mode, just stop trying now and go get yourself a plain old router.

For me these are the settings that work on my Atheros card. You will need to figure out what settings work on your own based on your hardware; you can query its capabilities with iw.

Edit /etc/hostapd/hostapd.conf:

# the interface used by the AP
interface=wlan1
# a means 5GHz, g means 2.4GHz
hw_mode=g
# the channel to use. Using 0 will make the AP use ACS to search for the channel with least interference
channel=0
# limit the frequencies used to those allowed in the country
ieee80211d=1
# the country code
country_code=US
# ieee80211n: Whether IEEE 802.11n (HT) is enabled
ieee80211n=1
# QoS support
wmm_enabled=1

# SSID (name of the AP)
ssid=SSID
# 1=wpa, 2=wep, 3=both
auth_algs=1
# WPA2 only
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP
rsn_pairwise=CCMP
wpa_passphrase=KEY


I tried using hw_mode=a but then OSX and iOS devices have a hard time connecting and staying connected to the network, so I switched bands to 2.4GHz. It's slower but far more stable. You'll want to configure the ht_capab command to better make use of your NIC.

After this is done, edit /etc/default/hostapd, and change the DAEMON_CONF line to match the location of the hostapd config file:

DAEMON_CONF="/etc/hostapd/hostapd.conf"


Make sure to test out the configuration file by actually running hostapd and making sure it runs:

# hostapd /etc/hostapd/hostapd.conf


If you run into issues here you'll have to determine where the issue is coming from:

• Network card driver
• Hostapd configuration

In that case run hostapd with one of the debug switches (hostapd -d /etc/hostapd/hostapd.conf) to figure this out. For maximum driver support the best option is to use Atheros-based cards using the ath5k, ath9k and ath10k drivers. Various cards from other suppliers will work, but will require fiddling with the configuration. They're worth a shot if you need to share Internet access with others around you quickly.

## Reboot

Yes, you'll actually want to reboot at this point. Why? Because the point of a router is that when you turn it on everything works automatically, without you having to manually start a service. So reboot, and check that

• All services come up by themselves
• You're able to have the system act as a router
• You're not having latency/DNS/throughput anomalies

That's pretty much it. It's a better setup than the first one and it's much easier to control with much less software installed.