So far, we have examined how to set up wireless clients and access points. We have examined how to use the clients and access points to secure the wireless network. The key piece that brings all of this together is the gateway. The gateway will connect the wireless network and any local wired connections to the Internet itself. Because of its role as the central connecting piece of the network, the gateway is also an ideal place to provide more layers of protection: separating the wired and wireless networks from each other and, from the most persistent source of attacks, the Internet.
It is safest to configure and secure the gateway completely before ever connecting it to the Internet. Perform the initial install from a CD, and secure the box before connecting. If you connect a freshly installed, insecure computer to the Internet, there is a good chance it will be hacked before you have it fully set up. The current record for time from connection to completely hacked (to our knowledge) is 17 seconds.
The gateway will have three network
connections. The first is a connection to an ISP providing access to
the Internet. This could take the form of a dialup, DSL, a cable
modem, or higher bandwidth forms of access. In this chapter, we will
approach it as an Ethernet card communicating with an external device
that handles the connection. (This is commonly how DSL and cable
modems work.) Throughout the examples, the Ethernet card connecting
to this upstream provider will be referred to as the Linux network
interface eth0
.
A second Ethernet card will be used to connect to a switch or hub
handling local wired connections. This is very useful for connecting
local servers or desktop machines that don’t have a
wireless card. This network interface will be referred to as
eth1
.
There are two options for connecting the gateway to the wireless
network. Another Ethernet interface can be used to connect to an
external, stand-alone AP. Alternatively, the gateway can use a
HostAP
interface as described in Chapter 9. For simplicity, we will refer to this
interface as eth2
, as it would be in the case of
an external AP. Remember that it could be setup either of these ways,
but it won’t affect the configuration as we discuss
it in this chapter. (The network interface will be named
wlan0
if HostAP
is used.)
Our gateway is going to provide services such as DHCP and NAT. If the external access point being used can also provide these services, make sure to disable them on the access point to prevent conflicts.
The role of the gateway is not very computationally demanding, so a fast computer is not a necessity. In a home network, an old Pentium computer with 64 MB of RAM would be able to fulfill this role quite nicely. The gateway does need to have three Ethernet network interfaces or two Ethernet interfaces and a wireless interface.
The duties of the gateway will encompass:
All of these services can be handled under both Linux and FreeBSD. This chapter will cover how to set up the gateway using Linux. Chapter 12 will cover FreeBSD.
The actual IP addresses assigned to the interfaces connecting to the upstream provider and DNS services will vary from one ISP to the next. So in our examples, the following IP addresses will be used throughout this chapter:
IP address assigned by ISP: 192.0.2.230
(assuming
the ISP does not issue addresses using DHCP)
DNS server run by ISP: 192.0.2.3
The DHCP server will be configured to assign IP addresses to wireless
clients in the range 192.168.0.100
to
192.168.0.200
and to wired clients in the range
192.168.1.100
to 192.168.1.200
,
as shown in Figure 11-1.
3.145.131.238