[ La
Fonera Home ] [ disclaimer ]
[ bridge
]
[ bridge.conf
] [ habilitando ssh ] [
Fonerix: una distro
Full-Equipe ]
Autor: Víctor
Escudero Rubio
Sun-Microsystems.ORG Basado en el Excelente trabajo de Antonio Anselmi
This document could be accessed at http://sun-microsystems.org/fonera/
Sun-Microsystems.ORG Basado en el Excelente trabajo de Antonio Anselmi
This document could be accessed at http://sun-microsystems.org/fonera/
Sacando partido a 'La Fonera'
Configuración: Repetidor / Punto de Acceso / Tarjeta
inalámbrica (script bridge.conf)
A continuación se describen los
ficheros de configuración y los parámetros más
importantes que pueden utilizarse para configurar nuestra fonera en
cualquiera de los 3 modos (Repetidor inalámbrico de
señal, Punto de Acceso convencional o haciendo las funciones de
una tarjeta inalámbrica).
Estos ficheros de configuración hacen referencia al script principal /etc/bridge, si te surgiera alguna duda sobre su funcionamiento, puedes consultar su implementación en este enlace.
La descarga de todos estos ficheros de configuración junto con
el script /etc/bridge puedes realizarla desde aquí pinchando en
el botón derecho y eligiendo salvar como.
- Parámetros modeMonitor y kheaders
si se habilita, mode Monitor se encarga de lenvantar un interfaz virtual en modo monitor (ath2).
Por defecto, en modo monitor se reciben paquetes en los que además se añaden cabeceras prism2, para cambiar esto puedes editar el parámetro kheaders con alguna de las siguientes opciones:kheaders Descripción 11 sólo cabeceras 802.11 2 cabeceras Prism2 (por defecto) 3 cabeceras Radiotap
4 descriptores Atheros - parámetro aclMode
Maneja una lista de control de acceso en función del archivo/etc/acl_list.confen donde se encuentran una lista de MACs una tras otra. En función del valor numérico se puede limitar el acceso únicamente a las MACs de la lista, no dejar a los de la lista, etc. Por dejecto no se realiza ningún chequeo por lo que el valor habitual de aclMode es 0:
aclMode Descripción 0 No se chequean las ACL (por defecto)
1 Sólo permite las MAC en la lista de ACLs 2 Sólo deniega las MAC en la lista de ACLs
- parámetro wMode
Indica el modo wireless, es decir, la banda de frecuencia y el protocolo a emplear. Por defecto el modo está en automático (wMode=0)wMode Description 0 Selección automática del modo de funcionamiento (por defecto)
1 Modo 802.11a (5GHz) (54Mbps) 2 Modo 802.11b (2.4GHz) (11Mbps) 3 Modo 802.11g (2.4GHz)con compatibilidad 802.11b (54/11Mbps) 4 Modo 802.11 de salto de frecuencias
5 Modo 802.11a (5GHz) turbo dinámico
6 Modo 802.11g (2GHz) turbo dinámico (108Mbps) 7 Modo 802.11a (5GHz) turbo estático
- DHCP (dnsmasq). Los archivos de dnsmasq son muy similares entre sí, aunque como se podrá ver únicamente cambian los valores de las redes en función de las interfaces, la interfaz en donde se escucha por defecto y la lista de las interfaces en las que explicitamente no se permite escuchar:
-
/etc/dnsmasq_repeater-br0.conf(DHCP service) - download dnsmasq_repeater-br0.conf
#/etc/dnsmasq_repeater-br0.conf
domain-needed
bogus-priv
filterwin2k
localise-queries
# allow /etc/hosts and dhcp lookups via *.lan
local=/wlan/
domain=wlan
expand-hosts
# enable dhcp (start,end,netmask,leasetime)
dhcp-authoritative
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers
dhcp-leasefile=/tmp/dnsmasq_repeater-br0.leases
# listen on
interface=br0
# IP range IP and timing
dhcp-range=172.16.130.65,172.16.130.254,1h
# MAC-IP fixed
#dhcp-host=00:19:d2:3c:73:b7,172.16.130.206
# subnet mask (opz. 1)
dhcp-option=1,255.255.255.0
# broadcast (opz. 28)
dhcp-option=28,172.16.130.255
# default gateway (opz. 3)
dhcp-option=3,172.16.130.1
# DNS (opz. 6)
dhcp-option=6,208.67.222.222
dhcp-option=6,208.67.220.220
dhcp-option=6,213.134.45.129
#
# the end
except-interface=lo
except-interface=eth0
except-interface=ath0
except-interface=ath1
except-interface=ath2
except-interface=ath3
bind-interfaces
-
/etc/dnsmasq_repeater-ath0.conf(DHCP service) - download dnsmasq_repeater-ath0.conf
#/etc/dnsmasq_repeater-ath0.conf
domain-needed
bogus-priv
filterwin2k
localise-queries
# allow /etc/hosts and dhcp lookups via *.lan
local=/wlan/
domain=wlan
expand-hosts
# enable dhcp (start,end,netmask,leasetime)
dhcp-authoritative
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers
dhcp-leasefile=/tmp/dnsmasq_repeater-ath0.leases
# listen on
interface=ath0
# IP range IP and timing
dhcp-range=172.16.110.64,172.16.110.254,1h
# MAC-IP fixed
#dhcp-host=00:19:d2:3c:73:b7,172.16.110.106
# subnet mask (opz. 1)
dhcp-option=1,255.255.255.0
# broadcast (opz. 28)
dhcp-option=28,172.16.110.255
# default gateway (opz. 3)
dhcp-option=3,172.16.110.1
# DNS (opz. 6)
dhcp-option=6,208.67.222.222
dhcp-option=6,208.67.220.220
dhcp-option=6,213.134.45.129
#
# the end
except-interface=lo
except-interface=br0
except-interface=eth0
except-interface=ath1
except-interface=ath2
except-interface=ath3
bind-interfaces
-
/etc/dnsmasq_repeater-eth0.conf(DHCP service) - download dnsmasq_repeater-eth0.conf
# /etc/dnsmasq_repeater-eth0.conf
domain-needed
bogus-priv
filterwin2k
localise-queries
# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=lan
expand-hosts
# enable dhcp (start,end,netmask,leasetime)
dhcp-authoritative
# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers
dhcp-leasefile=/tmp/dnsmasq_repeater-eth0.leases
# listen on
interface=eth0
# IP range IP and timing
dhcp-range=172.16.120.65,172.16.120.254,1h
# MAC-IP fixed
#dhcp-host=00:19:d2:3c:73:b7,172.16.120.106
# subnet mask (opz. 1)
dhcp-option=1,255.255.255.0
# broadcast (opz. 28)
dhcp-option=28,172.16.120.255
# default gateway (opz. 3)
dhcp-option=3,172.16.120.1
# DNS (opz. 6)
dhcp-option=6,208.67.222.222
dhcp-option=6,208.67.220.220
dhcp-option=6,213.134.45.129
#
# the end
except-interface=lo
except-interface=br0
except-interface=ath0
except-interface=ath1
except-interface=ath2
except-interface=ath3
bind-interfaces
- Gestión de listas blancas/negras.
- download acl_list.conf
- El
archivo
/etc/acl_list.confincluye las direcciones mac de los clientes que están permitidos o no para acceder a la señal inalámbrica que nuestra fonera envía en función del parámetroaclModeen el fichero de configuración/etc/config/bridge.conf. Este archivo debe únicamente incluir direcciones mac, una por línea:00:14:3f:0e:a9:52
00:18:84:11:ae:af
00:16:6e:0e:a9:12
/etc/config/bridge.conf:el esperado fichero de configuración que permite parametrizar el comportamiento de nuestra fonera:- download bridge.conf
# /etc/config/bridge.conf
#****************************************************************************
#.- 20070325 version
#.- Script modified by Victor Escudero <Linux.RuleThemAll(at)yahoo(dot)es> ,
#.- based on the excellent work of Antonio Anselmi (http://www.blogin.it)
#.-
#################################################################################################
# Current limitations:
# 1) WEP repeating WEP:
# If you are planning to repeat a wep encrypted signal, you must select exactly the SAME KEY
# key for the interface you are connecting to (ath1 in station mode) and for the
# interface acting as the expander AP also in wep. Otherwise although you can connect
# through cable (eth0) the wireless signal you are broadcasting might not be utterly functional.
# There are no other limitations with wep, so you can even change the authentication mode
# from shared to open authentication or viceversa without any problems.
# If you are have any concerns about security, its advisable to broadcast the signal with WPA2
# instead and block any attempt to your fonera though a list of authorized macs.
# 2) If you are broadcasting a signal with WPA/WPA2 on ath0 as your AP on 'La Fonera' you must
# not select bridge_mode, otherwise you would not be able to connect wirelessly.
#
# FEATURES:
# a) convert a non-encrypted signal to wep or wpa/wpa2
# b) convert an encrypted signal to another signal without encryption
# c) convert a wep signal from shared to open autentication and viceversa (same wepkeys)
# d) convert a wep signal to wpa/wpa2 and viceversa (might have different keys, but wpa/2 signal should not be bridge)
# e) switch from wpa/wpa2 to another wpa/wpa2 (might have different keys, but without bridge between ath0 & eth0)
# f) Bridge your home router that provides internet connection to your Fonera through cable (normally dhcp) to a wireless
# client that connects to your fonera. There is no need to start a dhcp server on your fonera, as your adsl/cable router
# will make this for you. Your fonera "bridges" these two networks together so any traffic coming through your fonera from
# one side is inmmediately seen on the other.
# g) You can join your own home cable/adsl router with another signal of an AP near your Fonera. With this flavour both networks
# are "bridge" (join) and at the same time broadcast wirelessly, so you can decide for example which internet connection you
# want to use: the connection of your own router of the internet connection provided by the other AP near your home (maybe yours
# or maybe one of your neighbour that authorizes you to access internet through his/her AP. This mode is very similar to WDS
# (WDS, stands for Wireless Distribution System) but in this scenario you are not bridging two wireless signals together, but
# joining one signal coming to your fonera wirelessly (ath1) with another coming from a cable (eth0)
# ...
# h) .... lot of things you can't even think were possible
#################################################################################################
#****************************************************************************
#
# NO SPACE BETWEEN = AND VALUE
# parameter = value <---- WRONG
# parameter=value <---- RIGHT
#
#
#-------------------
# only-Acceess-Point
#-------------------
# set only_AP=1 if you plan to use Fonera only as Access Point (bridging its eth0)
# The only-Access-Point mode NEEDS bridge_mode=1 in bridge configuration.
# It's also recomended to set kdhcp=1 in order to start DHCP service listening on br0
only_AP=0
#
# SSID auto detect
kssid=1
# SSID is manual
#kssid=0
#SSID_ath0=Fonera_AP
#
#--------------------------------
# configuring Access Point (ath0)
#--------------------------------
# wireless mode
#0 Auto select operating mode
#1 802.11a (5GHz) mode (54Mbps)
#2 802.11b (2.4GHz) mode (11Mbps)
#3 802.11g (2.4GHz) mode with 802.11b compatibility (54Mbps)
#4 802.11 frequency hopping mode
#5 802.11a (5GHz) dynamic turbo mode
#6 802.11g (2GHz) dynamic turbo mode (108Mbps)
#7 802.11a (5GHz) static turbo mode
wMode=0
#
# access control list based on MAC
# you must create the file /etc/acl_list.conf with
# ONLY one mac address per line
# 0 no ACL checking is performed
# 1 Only allow ACLs in the ACL list
# 2 Only deny ACLs in the ACL list
aclMode=0
#
# Authentication mode
# 1 Open auth (This does not set anything as this is the default
# 2 Shared auth
ath0_authmode=1
#
# if you want WEP auth on ath0
# 0 Do not use wep
# 1 wep with Ascii key (wep128 => 13chars)
# 2 wep with hexadecimal key (26 hex chars)
kwep=0
WepKeyAscii_ath0=adminadminadm
WepKeyHex_ath0=61646D696E61646D696E61646D
#
# if you want WPA/WPA2 on ath0 put kwpa=1
kwpa=0
wpapassphrase=adminadminadmin
#wpamode could be 1=wpa1, 2=wpa2, 3= both wpa/wpa2
wpamode=3
wpapairwise="TKIP CCMP"
#
#
# 802.11 SSID broadcasting/cloaking on ath0
hideSSID=0
#
# !! if you plan to use a bridge you can skip the IP configuration !!
# IP configuration for ath0
# wifi iface of your pc must be in this subnet
IP_ath0=172.16.110.1
MASK_ath0=255.255.255.0
#
#---------------------------------------
# configuring eth0 interface (wired lan)
#---------------------------------------
# !! if you plan to use bridge you can skip !!
IP_eth0=172.16.120.1
MASK_eth0=255.255.255.0
#
#----------------------------------------
# configuring bridge br0 (ath0 - eth0)
#----------------------------------------
bridge_mode=0
IP_br0=172.16.130.1
MASK_br0=255.255.255.0
#
# ------------
# DHCP service
# ------------
# Remember: you must edit /etc/dnsmasq_repeater-<xxx>.conf, where xxx can be br0 or eth0 & ath0
# depending on your configuration.
kdhcp=1
#
#-------------------------------------
# configuring Station (ath1)
#-------------------------------------
# Authentication mode
# 1 Open auth (this is the default)
# 2 Shared auth
# 3 802.x auth
ath1_authmode=1
#
# discovering stronger external AP (ath1_mode=1 automatically sets dhcp, see ath1_dhcp below)
ath1_mode=1
#
# targeted external AP by SSID
#ath1_mode=2
#TargetSsid=outdoor-net
#
# targeted external AP by MAC
#ath1_mode=3
#TargetMac=aa:bb:cc:dd:ee:ff
#
# targeted external AP via WPA-PSK (WPA personal)
# need /etc/wpa_supplicant.conf !
#ath1_mode=4
#TargetWpa=MyPlace
#
# targeted external AP via WEP (ASCII key)
#ath1_mode=5
# key in ASCII
#WepKeyAscii_ath1=adminadminadm
#TargetWepSsid=signaltoconnectto
#TargetWepMac=
#
# targeted external AP via WEP (hex key)
#ath1_mode=6
# key in hex
#WepKeyHex_ath1=DB4AD3464898F5AC3E971BFFDF
# target SSID or MAC
#TargetWepSsid=adsl8398
#TargetWepMac=
#
# Static Vs dynamic configuration gathered from the external AP
ath1_dhcp=1
#
#
# If you plan to use static IP configuration, choose ath1_dhcp=0 above and select
# proper values to these IPs.
#IP_ath1=192.168.0.99
#MASK_ath1=255.255.255.0
# default gateway
#DFGW=192.168.0.1
# name servers
#NAMESERVER1=208.67.222.222
#NAMESERVER2=208.67.220.220
#NAMESERVER3=213.134.45.129
#
#--------------------
# p2p port forwarding
#--------------------
#xmule=1
#IP_client_xmule=172.16.110.20 # wireless connected client
xmule=0
#
#btorrent=1
#IP_client_btorrent=172.16.120.20 # cable connected client
btorrent=0
#
#----------------------------------
# use of a monitor interface
#----------------------------------
# You might want to sniff some incoming/outgoing traffic on your Fonera
modeMonitor=0
# By default, monitor mode receives packets with prism2 headers prepended on them.
# To change this, you must set the appropriate value for kheaders (default=2)
# 11 Only 802.11 headers
# 2 Prism2 headers
# 3 Radiotap headers
# 4 Atheros Descriptors
kheaders=2
#
#---------------------------------
# hardening some TCP/IP parameters
#---------------------------------
khard=0
#
#----------------------------------
# logging malicious TCP/IP packests
#----------------------------------
klog=1
#
# End of /etc/config/bridge.conf
