siddou.tk

Install Guest home built wifi router on Debian 8 Jessie

You want to replace your old wifi router and got an old computer, make your own wifi router.
You will need the internal network adapter of the computer+ a wifi adapter.

Here i use an Qualcomm Atheros AR9485 Wireless Network Adapter, an HP Intel(R) Core(TM)2 Duo CPU E8400 @ 3.00GHz with 2GB RAM.

Install packages

apt-get install bridge-utils shorewall hostapd isc-dhcp-server

Configure network (change eth1 to eth0 if needed)

nano /etc/network/interfaces
#Internal network with internet access
auto eth1
iface eth1 inet dhcp

#Wifi adapter
iface wlan0 inet manual

#Wifi bridge
auto br0
iface br0 inet static
        address 172.16.10.1   
        netmask 255.255.255.0
        bridge_ports wlan0
        bridge_stp off

Configure services:

nano /etc/default/shorewall
startup=1
nano /etc/default/hostapd
DAEMON_CONF="/etc/hostapd/hostapd.conf"
nano /etc/default/isc-dhcp-server
INTERFACES="br0"

restart computer

Configure dhcp:

nano /etc/dhcp/dhcpd.conf
subnet 172.16.10.0 netmask 255.255.255.0 {
range 172.16.10.50 172.16.10.100;
option subnet-mask 255.255.255.0;
option broadcast-address 172.16.10.255;
option routers 172.16.10.1; # set your gateway here
option domain-name-servers 8.8.8.8; # set your DNS here
default-lease-time 86400;
max-lease-time 676800;
}

Configure hostapd:

nano /etc/hostapd/hostapd.conf
interface=wlan0
bridge=br0
driver=nl80211
logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
ssid=SSIDNAME
country_code=FR
ieee80211d=1
ieee80211h=1
hw_mode=g
channel=9
beacon_int=100
dtim_period=2
max_num_sta=255
rts_threshold=2347
fragm_threshold=2346
macaddr_acl=0
auth_algs=3
ignore_broadcast_ssid=0
wmm_enabled=1
wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0
wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0
wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0
wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
ieee80211n=1
ht_capab=[HT40-][SHORT-GI-20][SHORT-GI-40]
eapol_key_index_workaround=0
eap_server=0
own_ip_addr=127.0.0.1
wpa=2
wpa_passphrase=WIFISECUREPASSPHRASE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP

Configure shorewall:

nano /etc/shorewall/interfaces
wifi     br0            dhcp,tcpflags,nosmurfs,routefilter,logmartians,sourceroute=0
internal      eth1            tcpflags,nosmurfs,routefilter,logmartians
nano /etc/shorewall/shorewall.conf
###############################################################################
#
#  Shorewall Version 4 -- /etc/shorewall/shorewall.conf
#
#  For information about the settings in this file, type "man shorewall.conf"
#
#  Manpage also online at http://www.shorewall.net/manpages/shorewall.conf.html
###############################################################################
#		       S T A R T U P   E N A B L E D
###############################################################################

STARTUP_ENABLED=Yes

###############################################################################
#			     V E R B O S I T Y
###############################################################################

VERBOSITY=1

###############################################################################
#			       L O G G I N G
###############################################################################

BLACKLIST_LOG_LEVEL=

INVALID_LOG_LEVEL=

LOG_BACKEND=

LOG_MARTIANS=Yes

LOG_VERBOSITY=2

LOGALLNEW=

LOGFILE=/var/log/messages

LOGFORMAT="Shorewall:%s:%s:"

LOGTAGONLY=No

LOGLIMIT=

MACLIST_LOG_LEVEL=info

RELATED_LOG_LEVEL=

RPFILTER_LOG_LEVEL=info

SFILTER_LOG_LEVEL=info

SMURF_LOG_LEVEL=info

STARTUP_LOG=/var/log/shorewall-init.log

TCP_FLAGS_LOG_LEVEL=info

UNTRACKED_LOG_LEVEL=

###############################################################################
#	L O C A T I O N	  O F	F I L E S   A N D   D I R E C T O R I E S
###############################################################################

ARPTABLES=

CONFIG_PATH="${CONFDIR}/shorewall:${SHAREDIR}/shorewall"

GEOIPDIR=/usr/share/xt_geoip/LE

IPTABLES=

IP=

IPSET=

LOCKFILE=

MODULESDIR=

NFACCT=

PATH="/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin"

PERL=/usr/bin/perl

RESTOREFILE=restore

SHOREWALL_SHELL=/bin/sh

SUBSYSLOCK=""

TC=

###############################################################################
#		D E F A U L T   A C T I O N S / M A C R O S
###############################################################################

ACCEPT_DEFAULT=none
DROP_DEFAULT=Drop
NFQUEUE_DEFAULT=none
QUEUE_DEFAULT=none
REJECT_DEFAULT=Reject

###############################################################################
#			 R S H / R C P	C O M M A N D S
###############################################################################

RCP_COMMAND='scp ${files} ${root}@${system}:${destination}'
RSH_COMMAND='ssh ${root}@${system} ${command}'

###############################################################################
#			F I R E W A L L	  O P T I O N S
###############################################################################

ACCOUNTING=Yes

ACCOUNTING_TABLE=filter

ADD_IP_ALIASES=No

ADD_SNAT_ALIASES=No

ADMINISABSENTMINDED=Yes

BASIC_FILTERS=No

IGNOREUNKNOWNVARIABLES=No

AUTOCOMMENT=Yes

AUTOHELPERS=Yes

AUTOMAKE=No

BLACKLIST="NEW,INVALID,UNTRACKED"

CHAIN_SCRIPTS=Yes

CLAMPMSS=No

CLEAR_TC=Yes

COMPLETE=No

DEFER_DNS_RESOLUTION=Yes

DELETE_THEN_ADD=Yes

DETECT_DNAT_IPADDRS=No

DISABLE_IPV6=No

DONT_LOAD=

DYNAMIC_BLACKLIST=Yes

EXPAND_POLICIES=Yes

EXPORTMODULES=Yes

FASTACCEPT=No

FORWARD_CLEAR_MARK=

HELPERS=

IMPLICIT_CONTINUE=No

INLINE_MATCHES=Yes

IPSET_WARNINGS=Yes

IP_FORWARDING=Keep

KEEP_RT_TABLES=No

LEGACY_FASTSTART=Yes

LOAD_HELPERS_ONLY=Yes

MACLIST_TABLE=filter

MACLIST_TTL=

MANGLE_ENABLED=Yes

MAPOLDACTIONS=No

MARK_IN_FORWARD_CHAIN=No

MODULE_SUFFIX=ko

MULTICAST=No

MUTEX_TIMEOUT=60

NULL_ROUTE_RFC1918=No

OPTIMIZE=0

OPTIMIZE_ACCOUNTING=No

REJECT_ACTION=

REQUIRE_INTERFACE=No

RESTORE_DEFAULT_ROUTE=Yes

RESTORE_ROUTEMARKS=Yes

RETAIN_ALIASES=No

ROUTE_FILTER=Yes

SAVE_ARPTABLES=No

SAVE_IPSETS=No

#TC_ENABLED=Internal
TC_ENABLED=Simple

TC_EXPERT=No

TC_PRIOMAP="2 3 3 3 2 3 1 1 2 2 2 2 2 2 2 2"

TRACK_PROVIDERS=No

TRACK_RULES=No

USE_DEFAULT_RT=Yes

USE_PHYSICAL_NAMES=No

USE_RT_NAMES=No

WARNOLDCAPVERSION=Yes

ZONE2ZONE=-

###############################################################################
#			P A C K E T   D I S P O S I T I O N
###############################################################################

BLACKLIST_DISPOSITION=DROP

INVALID_DISPOSITION=CONTINUE

MACLIST_DISPOSITION=REJECT

RELATED_DISPOSITION=ACCEPT

RPFILTER_DISPOSITION=DROP

SMURF_DISPOSITION=DROP

SFILTER_DISPOSITION=DROP

TCP_FLAGS_DISPOSITION=DROP

UNTRACKED_DISPOSITION=CONTINUE

################################################################################
#			P A C K E T  M A R K  L A Y O U T
################################################################################

TC_BITS=

PROVIDER_BITS=

PROVIDER_OFFSET=

MASK_BITS=

ZONE_BITS=0

################################################################################
#			     L E G A C Y  O P T I O N
#		       D O  N O T  D E L E T E	O R  A L T E R
################################################################################

IPSECFILE=zones

nano /etc/shorewall/zones
fw  firewall
wifi  ipv4
internal ipv4
nano /etc/shorewall/mask
eth1                    10.0.0.0/8,\
                        169.254.0.0/16,\
                        172.16.0.0/12,\
                        192.168.0.0/16
br0                     10.0.0.0/8,\
                        169.254.0.0/16,\
                        172.16.0.0/12,\
                        192.168.0.0/16
nano /etc/shorewall/policy
$FW             internal             ACCEPT
internal   wifi    ACCEPT    
internal   fw    ACCEPT    
wifi             all             DROP            info
all   all   REJECT    info

Here some quick rules to allow guest to acces to internet:

nano /etc/shorewall/rules
?SECTION ALL
?SECTION ESTABLISHED
?SECTION RELATED
?SECTION INVALID
?SECTION UNTRACKED
?SECTION NEW
Invalid(DROP) wifi    all   tcp
DNS(ACCEPT)     wifi             $FW
#enable internal imap
ACCEPT          wifi            internal:192.168.0.10              tcp 993
#enable internal smtp
ACCEPT          wifi            internal:192.168.0.10              tcp 587
#enable internal vpn
ACCEPT          wifi            internal:192.168.0.10              udp 1194
#drop internal IPs
DROP:info       wifi            internal:192.168.0.0/16
#enable https
ACCEPT    wifi    internal   tcp 443
#enable http
ACCEPT    wifi    internal   tcp 80
#enable ntp
ACCEPT    wifi    internal   udp 123
ACCEPT    $FW   wifi       icmp
ACCEPT    $FW   internal   icmp

test:

systemctl restart isc-dhcp-server
shorewall check
shorewall restart
hostapd -dd /etc/hostapd/hostapd.conf

Restart computer and try again to connect to wifi.
You can use Wifi Analyser to check your wifi settings.

Leave a Reply

Your email address will not be published. Required fields are marked *