Golden Villas - HS3000 Configuration

Here is a brief description of how we configured the two Netgate HS3000 250mW APs we're using at Golden Villas.

Setup is very much like configuring any AP, but with one twist - adding the WDS (Wireless Distribution System) setup. The basic steps are:

1. set a startic IP on your computer such as 192.168.2.100 (255.255.255.0)
2. connect to the HS3000 via ethernet, turn it on, etc.
3. connect an ethernet cable from your computer to the HS3000 - a crossover cable is needed for a direct connection
4. open a browser at http://192.168.2.254, no password is needed
5. Under the wireless Basic Settings, set:
   • Mode: AP
   • SSID: socalfreenet.org
   • Channel 11 - channel 6 is invariably busy so we typically use either 1 or 11. At this location there wasn't much activity on any channels during the site survey
   • Apply Changes
6. Under the Wireless Advanced Settings, we bumped the power up to 250mW (24dBm) but left everything else at the default

At this point we stopped to check that everything was working ok via wireless. Note that the AP resets between almost any setting change, so there is a pause and lost connection during this period.

Next we configured the LAN settings to match the network design, as follows:

1. Click on TCP/IP settings
2. set IP address to 10.12.11.130 (and 131 for the 2nd radio)
3. subnet mask is 255.255.255.129 (/25)
4. default gateway is 10.12.11.128 (_though this is probably not used_)
5. DHCP was left disabled

At this point, of course, you need to switch the computer IP used. We actually plugged into the previously configured m0n0wall box and connected wirelessly. The m0n0wall gave us an IP and after going through the captive portal we could surf the net as hoped.

The last step was to turn on WDS support. The HS3000 requires that both "master" and "repeater" be set to point to each other. A convenient way to get the required MAC addresses is to use the Wireless Site Survey link, assuming both radios are on. Of course there are also stickers on the metal case and on the box they came in.

1. Click on Wireless -> WDS Settings
2. Check the Enable WDS option
3. enter the MAC address of the other radio
4. click on Apply Changes
5. repeat for the other radio

Now you're ready to test. This turned out to be a little tricky. Most client software doesn't give you any control over which AP you connect to and may even ping-pong between APs. So not only is hard to force the client to use a particular AP (e.g. the repeater instead of the master), most software won't even tell you the MAC address of the AP you're connected with. Before we worked out the test technique below we saw a lot of strange behaviour. Very slow links, dropped packets etc.

Skipping to what worked, we turned on the master AP but left the antenna disconnected (key step!). A few feet away we put the 2nd 'repeater' AP with its 8dBi omni connected. Then we took a laptop a few rooms away - i.e. far enough for the master to be too weak, but a good signal from the repeater was available. (This proved much better than our first approach of leaving both antennas on and taking the repeater AP a few rooms away.

It was interesting to start a ping to both radios and watch the results. From two separate pings to 10.12.11.130 and 10.12.11.131 the ping time for the connected radio was 1-2ms and double that for the other. As we walked away with the laptop and the client software switched from the master AP to the repeater, the pings first started timing out and then the times reversed with the shorter time for the repeater.

After the above we were satisfied that we had the network ready to install. Phew!

Golden Villas - m0n0wall configuration

Here are the steps taken to program monowall for use at Golden Villas apartments with a Soekris 4501 box. Read the Network Configuration in conjunction with this guide.

The latest version of m0n0wall available was used, 1.2b3. It was configured as follows.

1. Interfaces -> assign: add the third interface and enable it
2. Rename the interfaces: LAN, WLAN and WAN and assign to sis0, sis1, sis2 respectively
3. set the LAN IP to 10.12.11.1/25
4. set the WLAN IP to 10.12.11.129/25
5. leave WAN at DHCP as the cable modem will be DHCP
6. Under Services -> DHCP:
   • set LAN range to 10.12.11.50 - 10.12.11.99
   • set WLAN range to 10.12.11.154 - 10.12.11.250
7. Under Sytem -> General Setup:
   • Change hostname to goldenvilla
   • change password
   • set webGUI protocol to https
   • set timezone to America/Los_Angeles
8. Under Firewall -> Rules, click on the LAN tab (if not already selected). Then click on the + sign next to the rule that has the description "Default LAN -> any". This will create and go to edit mode a new rule with the same settings. Then change:
   • Interface: WLAN
   • Source: WLAN subnet
   • Description: Default WLAN -> any

That's the important settings completed. Everything should basically work at this point and its worth stopping to make sure.

We want to keep the LAN completely firewalled from the WLAN so we need some rules to ensure that it is:

1. click on the Firewall -> Rules -> WLAN tab
2. click 'e' next to the WLAN rule that allows all traffic anywhere
3. under Destination check the 'not' box and then select Lan subnet from Type
4. tweak the description (e.g. add ", except LAN")
5. Click Save
6. Click Apply Changes

Unfortunately now we can't admin the firewall via wireless on the WLAN, so we add another rule. We make this rule very specific:

1. click on the Firewall -> Rules -> WLAN tab
2. click '+' next to the WLAN rule that allows all traffic anywhere
3. change Protocol to TCP
4. change Destination to Type "Single host or alias" and the address to 10.12.11.1
5. set the Destination port range to HTTPS
6. tweak the description, e.g. "Allow WLAN admin access"
7. Click Save
8. now move the new rule to the top by checking the empty box against the new rule and the click on the left arrow against the first
9. Click Apply Changes

At this point it shold now be possible to access https://10.12.11.1 from a client on the WLAN port (i.e. a wireless client once WLAN is connected to an AP).

Some more settings will complete the configuration:

1. Under Diagnostics -> Logs -> Settings
   • set remote syslog server IP
   • check "Show log entries in reverse order"
2. fill in the Firewall -> Traffic shaper -> Magic shaper wizard settings and enable the traffic shaper. Check both options - share bandwidth evenly and set P2p to lowest priority
3. configure Services -> captive portal:
   • enable captive portal
   • interface WLAN
   • idle timeout: 60 mins
   • hard timeout: 1440 mins (24 hours)
   • add the portal page - see file attached to this page
4. click on Services -> captive portal -> Allowed IP addresses and allow www.socalfreenet.org to be visited without authentication
   • select "To"
   • add IP 216.193.213.171
   • desription: www.socalfreenet.org

That's it! Save the configuration just to be safe (under Diagnostices -> Backup/Restore).