Linux Wi-Fi: Supercharge a Buffalo (Part 2)
The DD-WRT wireless router project brings the flexibility and power of Linux to inexpensive Wi-Fi gear. This week, learn how to secure it and tune it for speed.
In last week's installment, we installed DD-WRT on a Buffalo wireless broadband router. Today we're going to learn how to do package management, TurboBoost, access restrictions and WPA/WPA2 authentication and encryption.
While you're still getting your router configured, don't connect its WAN port to the Internet; it's not ready for that yet. It's better to treat it as an ordinary LAN host until you have it all set up. On the Setup -> Basic Setup page, disable the WAN port and the DHCP server, and set the correct time zone. (The Time Zone converter can help you here.) Then on the Network Setup section, configure it like any other host on your LAN, with a local address and using your Internet gateway, because you're going to need Internet access.
Package Management With ipkg
ipkg, the Itsy Package Management System, was designed for tiny systems like DD-WRT. Remember, on the Buffalo WHR-G54S we have only four megabytes of storage and we've already used up three, so every byte counts. ipkg weighs in at a mere 28K; in comparison dpkg, ipkg's big Debian sister, blows the scales at over 336K. Of course dpkg does more, but ipkg still manages to cram a lot of ability into few kilobytes. Here is a list of commonly-used commands:
- ipkg update
- Update the package list
- ipkg list
- Show all available packages
- ipkg install [package name]
- Install a package
- ipkg http://someurl/[package name]
- Install a package from an online site
- ipkg remove [package name]
- Remove a package
- ipkg upgrade
- Update all installed packages to the latest versions
You should update your package lists and system before doing anything else:
~ # ipkg update ~ # ipkg upgrade
How do you know if you have enough room to install new packages? Use the df command:
~ # df -h Filesystem Size Used Available Use% Mounted on /dev/root 1.9M 1.9M 0 100% / /dev/mtdblock/4 1.3M 388.0k 892.0k 30% /jffs
892 nice fat kilobytes of elbow room! So we can add a few things if we want. How do you know how big a package is before installing it? ipkg tells the tale:
~ # ipkg info snmpd [...] Size: 8942
This might drag in some dependencies, so let's see what they are:
~ # ipkg depends snmpd snmpd libelf libnetsnmp
The -test and -noaction options for ipkg don't seem to exist on DD-WRT; these let you do a dry-run before performing an installation. So you'll have to figure out the total installation size manually.
Super-Duper Turbo Stuff
You've seen all the hype over super-fast wireless speeds, like Turbo-boost and Supercharge and Speed-booster and various other excitable marketing terms. Each vendor has its own way of implementing these. Some use channel-bonding, some use packet- or frame-bursting. According to the DD-WRT Wiki, DD-WRT supports Broadcom's "AfterBurner" technology. This supports the following speed boost technologies:
- TurboG 125mbps
It does not support "Super-G," which which is an Atheros specification. Ralink, Realtek, Broadcom-based wireless adapters, and various other client adapters that boast of super-speed thingies should work with AfterBurner, though I make no promises. Turn in on in DD-WRT in the Wireless -> Advanced Settings page. Then you'll have to enable it in the client's wireless adapter as well. On Windows, go to the Advanced tab of the network configuration tool. On Linux, well, I don't know yet. But I promise to write a howto very soon.
It won't break anything to have it enabled with unsupported clients, such as ordinary 802.11g and Atheros clients, but it will slow down their performance.
DD-WRT has some nice easy ways to restrict both Internet and wireless access. On the Access Restrictions tab you can define up to ten different Internet access policies. You can restrict or allow access by either MAC address or IP address, ranges of IP addresses, and define times of day and days of the week. There are nice easy checkboxes for restricting various P2P protocols, and you can add your own. You can also block Websites by URL or keywords. You can't create a Website whitelist, which would be a nice feature for those situtuations when you want to allow access only to certain specific sites, and block everything else.
Wireless -> Advanced settings lets you turn the wireless radio on or off at certain hours. It doesn't have a day-of-the-week control, just hours.
Making It Pretty
Way down at the bottom of the Administration page is "Router GUI Style." Here be a number of different themes for prettying up your Web control panel.
Easy Wireless Security
Whatever you do, don't use WEP. WEP is so feeble you might as well operate in the clear. No no no to WEP. If you have some antique interface cards that only support WEP, get rid of them. Buy new ones that support WPA/WPA2. It's cheaper than getting pwned.
OK, now that we have the lecture out of the way, nice strong WPA-Personal encryption is easy to set up with DD-WRT. Your whole WLAN must use the same type of encryption; you cannot mix it up. WPA2 is considerably stronger than WPA, so your ideal scenario is all of your client adapters support it. If they don't, WPA is OK, and a lot stronger than WEP.
Go to Wireless -> Wireless Security and select either "WPA Pre-shared Key" or "WPA2 Pre-Shared Key Only." Select "AES" in the "WPA Algorithms" box if your client interfaces suppor it. If they don't, select "TKIP." Then enter your key, which is a password up to 63 characters long. There are all kinds of password generators on the Internet if you want a little help. Copy this key to all of your clients, and you are done.
All clients having the same key is not ideal, but it is quick and easy, and a whole lot better than WEP.
If you have a RADIUS server running already, DD-WRT can easily hand over the job of authentication and encryption to it. Don't have any encryption on your DD-WRT router because your RADIUS server handles this. Go to Wireless -> RADIUS and fill in the blanks; easy peasey. (Please don't use MAC addresses as passwords. Ever. Please.) The one configuration you'll want to think about is "Override Radius if server is unavailable." If your RADIUS server is down, so is your wireless. Some admins like to enable the override so they can still have administer their access points over a wireless connection. Me, I think it's better to leave it disabled and SSH in from your wired LAN.
- ipkg - the Itsy Package Management System
- Better Wi-Fi on the Linux Horizon
- This table shows what you get in the different DD-WRT versions
- WEP: Cracked in 60 Seconds
- Linux on Your WLAN: Configure WPA
- Better Wi-Fi on the Linux Horizon