The setup below describes an older configuration. I have since moved to a situation with a Soekris 5501-70 with a 'regular' access point behind one of its ethernet ports. The nameserver given out over DHCP does not use the trick described below anymore. In stead, I have configured pf to redirect all requests to external IP's on port 80 to the local webserver for non-authenticated clients.
Yes, this allows users to use DNS-tunneling techniques to circumvent the firewall. They, however, will not originate from my IP address which is what I intend to prevent with this solution.
After my Dell TrueMobile Residential Gateway died a couple of weeks ago, I decided to go for the locally hosted approach with a wireless NIC in my router. This particular Residential Gateway (RG) was giving me headaches anyway - it was only configurable through some obnoxious Windows JAVA program and was performing quite badly the last months.
I disassembled the RG which turned out to contain a small logicboard with a Dell TrueMobile 1150 PCMCIA NIC on it. The NIC was the same as the one I already had, the only difference was in the firmware revision. Fortunately, this NIC is supported by OpenBSD, it gets detected as :
wi0 at pcmcia0 function 0 "Dell, TrueMobile 1150 Series PC Card, Version 01.01" port 0xa000/64 wi0: Firmware 6.10 variant 1, address 00:02:2d:XX:XX:XX
Since my router does not have PCMCIA slots readily available, I went out and purchased a simple PCI to Cardbus adapter from Conceptronic. This card is fully supported by OpenBSD, it gets detected as :
cbb0 at pci0 dev 13 function 0 "Ricoh 5C475 CardBus" rev 0x80: irq 10 cardslot0 at cbb0 slot 0 flags 0 cardbus0 at cardslot0: bus 1 device 0 cacheline 0x0, lattimer 0x20 pcmcia0 at cardslot0
Unfortunately, although this card is supported in OpenBSD/i386 (and possibly amd64 and other platforms), it is not supported on OpenBSD/alpha. So for now, I'll just use this card in an old i386 machine. Maybe I'll just go out and buy a new AP which I'll then put on a separate VLAN to my router (an Alpha), but until that time, this solution works sufficiently.
So now I have all the hardware I need :
After installing OpenBSD, I made the following changes to the default setup :
inet 192.168.41.17 255.255.255.0 192.168.41.255 inet6 <MY_PREFIX>:0:: 64 eui64 !route add -inet6 default fe80::250:4ff:feYY:YYYY%fxp0
!/sbin/wicontrol -c 1 -n weirdnet.nl -s pizza -f 11 -e 0 inet 192.168.42.1 255.255.255.0 192.168.42.255 inet6 <MY_PREFIX>:1:: 64 eui64
192.168.41.4
pizza.wire.ams.weirdnet.nl
7,8c7,8 < #net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets < #net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets --- > net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of packets > net.inet6.ip6.forwarding=1 # 1=Permit forwarding (routing) of packets
lookup file bind nameserver 192.168.41.64 nameserver <MY_PREFIX>:0::53
pf=YES dhcpd_flags="-q" # for normal use: "-q" rtadvd_flags=wi0 # for normal use: list of interfaces # be sure to set net.inet6.ip6.forwarding=1 named_flags="" # for normal use: "" httpd_flags="" # for normal use: "" (or "-DSSL" after reading ssl(8))
table <authorized> scrub in rdr pass on wi0 proto udp from <authorized> to 192.168.42.1 port 53 -> 192.168.41.64 port 53 rdr pass on wi0 proto tcp from <authorized> to 192.168.42.1 port 53 -> 192.168.41.64 port 53 block in on wi0 inet pass in on wi0 inet from any to wi0 keep state pass in on wi0 inet from <authorized> to any keep state
wi0
option domain-name "wifi.ams.weirdnet.nl"; option domain-name-servers pizza.wifi.ams.weirdnet.nl; option routers pizza.wifi.ams.weirdnet.nl; option broadcast-address 192.168.42.255; shared-network DHCP-WIFI { subnet 192.168.42.0 netmask 255.255.255.0 { range 192.168.42.128 192.168.42.192; } } host nugget { hardware ethernet 00:02:2d:ZZ:ZZ:ZZ; fixed-address nugget.wifi.ams.weirdnet.nl; }
*
table=authorized
81,82c81,82 < #ClientAliveInterval 0 < #ClientAliveCountMax 3 --- > ClientAliveInterval 20 > ClientAliveCountMax 3
options { version ""; listen-on { 192.168.42.0/24; }; }; zone "." { type master; file "master/root.zone"; };
$ORIGIN . $TTL 86400 @ IN SOA pizza.wifi.ams.weirdnet.nl hostmaster.weirdnet.nl ( 1 3600 900 1209600 43200 ) IN NS pizza IN MX 10 pizza IN TXT "Messed up root zone" * IN A 192.168.42.1 IN AAAA <MY_PREFIX>:0001:0202:2dff:feXX:XXXX IN MX 10 pizza IN TXT "No, not really" IN PTR pizza
240c240 < # LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so --- > LoadModule rewrite_module /usr/lib/apache/modules/mod_rewrite.so ... 355a356,357 > RewriteEngine On > RewriteRule !^/openbsd_pb.gif$ /index.html [L]
<html> <head> <title>The weirdnet.nl wireless network</title> </head> <body> <p>Dear user of the weirdnet.nl wireless network. <p>You have apparantly found this network. Yes, it is unencrypted. Yes, anyone will get an IP address via DHCP. However, the default gateway will, by default, deny all traffic to hosts other than the gateway itself. The nameserver will authoritatively answer any and all requests and it always claims A or AAAA records are the machine itself. So all websurfing will end up on this machine. Then, mod_rewrite will make sure you always get this page. <p>If you wish to use this network, please use IPv6. For nameresolution, you can use <MY_PREFIX>:0::53 as your nameserver. Or, if you are authorized to do so, please authenticate yourself using the methods provided. After authenticating with authpf on the gateway, your IP address will be added to the table of authorized users. These users are allowed to pass the firewall. Also, their DNS requests will be redirected to a nameserver which will give a usefull response. <p>This entire setup was built using OpenBSD and the software that comes with it by default (PF, authpf, Apache, BIND, dhcpd). For more information on this setup visit <a href="http://www.weirdnet.nl/openbsd/wireless/">my website</a> (accessible via IPv6) where I've described the entire configuration. <p>I hope you enjoy the facilities offered by the weirdnet.nl wireless network but <i>please</i> be a good netizen. Behave, and dont misuse the services offered here. <p>Cheers, <p><a href="mailto:wireless@weirdnet.nl">Paul 'WEiRD' de Weerd</a> <p><img src="http://pizza.ipv4.wifi.ams.weirdnet.nl/openbsd_pb.gif"> </body> </html>
That's it. For all authorized users I create an authpf-account, add their MAC address to /etc/dhcpd.conf (I left one in the example above) and off we go.
This was very easy to configure (the hardest part was the exact RewriteRule for apache to make sure it always loads /index.html except when you request /openbsd_pb.gif). My thanks (and support) go to the OpenBSD developers. I recommend everyone to use OpenBSD and to make a donation.