Open Source Wifi Hotspot
Implementation
The goal of this paper is to describe a design—includ-
ing the hardware, software, and configuration––for an
open source wireless network. The network designed will
require authentication. While care will be taken to keep
the authentication exchange secure, the network will oth-
erwise transmit data without encryption.
W
ireless networks are an essential tool for provid-
ing service for colleges and libraries. This paper
will explain the setup of a wireless network
using open-source software and inexpensive commodity
hardware. Open-source software was employed exclu-
sively. This allowed for flexibility in design and reduction
in expense while also providing a platform for students to
learn more about the internal workings of the system by
examining particular sections of code in which they have
interest. Standard commodity hardware was used as a
means of saving cost. This should allow others to repeat
this design with a minimum of funding.
The purpose of a network, like any resource, is to
provide a service for those who own it; in this case, the
patrons of a library, or students, faculty, and staff at a col-
lege. To ensure that this network serves its owners, users
will be required to authenticate before gaining access.
Once authenticated, the central captive portal can pro-
vide different levels of service for specific user groups,
including guest access, if desired. For this system, ease
of access for users was the primary concern; other than
using the Secure Socket Layer for authentication, the
remainder of the traffic was unencrypted.
Other than the base nodes, the remaining access points
were connected to each other using a wireless connection
in order to avoid physically connecting all access points
across campus and to further reduce the expense for the
deployment of the network. This was accomplished using
the WDS (wireless distributed system) feature on the
wireless routers. All access points connect to a centralized
set of servers that provide: DHCP, Web-caching proxy,
DNS caching, radius, Web server, a captive portal, and
logging of network traffic.
N Hardware
Requirements for the network were relatively modest,
using inexpensive wireless routers along with several
Linux servers built upon older Pentium 3 desktop systems.
Linksys WRT54GS routers were chosen as the access points
as they are inexpensive, readily available, and possess the
ability to run custom open-source firmware. Other access
points could be used; however, the configuration sugges-
tions are specific to the WRT54GS and may not apply to
OPEN SOURCE WIFI HOTSPOT IMPLEMENTATION | SONDAG AND FEHER
Tyler Sondag and Jim Feher
other hardware. The routing functions of the WRT54GS
were not used in this implementation. The servers need not
be anything special; older hardware will work just fine. For
this implementation, decommissioned 900 MHz units with
512MB of RAM and 40GB hard drives were used.
N Wireless router software
In order to provide the functionality required, the units
had their firmware flashed with an open-source, Linux-
based operating system available from OpenWrt for the
Linksys routers (http://www.openwrt.org). Support is also
available for other wireless devices. “The firmware from
OpenWrt provides a fully writable file system with pack-
age management. This allows developers the freedom to
customize the devices by choosing only the packages and
software that are necessary for their applications.”1 As the
routers have limited storage, being able to hand select only
the necessary components is a definite advantage.
N Server software
For the operating system on the servers, Fedora Core
was chosen.2 Fedora provides the Yellow Dog Updater,
Modified (yum), which eases the updating of all pack-
ages installed on the system, including kernel updates.3
This aids security by providing a platform for easily and
frequently updating the system. Fedora Core is an open-
source distribution that is available for free. Fedora Core
also comes with many other open-source packages that
were used in this design, such as the Apache Web server.
While the designers had more familiarity with Fedora,
other distributions are also available that provide simi-
lar benefits (Suse, Ubuntu, OpenBSD, Debian, etc.). The
server was run in command line mode with no graphical
user interface in order to reduce the load on the server
and save space on the hard drive.
N Captive portal
In order to require authentication before gaining access
to the network, a captive portal was used. Some of the
Jim Feher ([email protected]) is an Associate Professor
of Computer Science at McKendree College in Lebanon, Illinois.
Tyler Sondag ([email protected]), is a senior in
Computer Science at McKendree College.
35
desired features in the choice of the captive portal were:
encrypted authentication, traffic logging, and the ability
to provide different levels of service for different user
groups. Logging traffic allows the system administrators
to identify accounts that have been misusing the network.
Those who inadvertently misuse the system or perhaps
have had their accounts compromised can have their
access temporarily disabled until they can be contacted
with instructions concerning acceptable use of the net-
work. As the network must be shared by all, those who
habitually abuse the resource can have their accounts per-
manently disabled. The captive portal should also redi-
rect Web traffic to a login page that is served on the Secure
Socket Layer until the user logs in. Chillispot was chosen
as it possesses all of the features mentioned above.4
N allow for the transparent setup of the Web proxy
Server layout
As can be seen in appendix A, three servers were used
for this implementation. The first server was used as
the main router to the Internet. The second server ran
a Squid Web caching server.5 It also ran a DNS cach-
ing server and the FreeRADIUS server.6 The third was
used for the captive portal. Three servers were used for
various reasons. First, this distributed the load. Second,
portions of the network that were not behind the cap-
tive portal could more easily use the services on the
second server running Squid, DNS, and FreeRADIUS. It
should be noted that three independent servers are not
required; many of the services could be consolidated on
two or even one single server to reduce the hardware
requirements. The implementation depends upon the
specific needs for the network.
N Server installation
Installing the operating system (Fedora Core) on each
server is a relatively straightforward procedure. Each
machine was partitioned with 1024 MBs of swap space
with the rest of the drive being an ext3 partition with
the mount point “/”. Only the minimal set of packages
required were installed at this time. The first server,
server #1 (router), was given three network interfaces,
one for the Internet connection, one to connect to a switch
that then connects to server #2 (Web/DNS caching and
radius) as well as other machines that do not connect
through the captive portal, and one connecting to server
#3 (captive portal machine). The second server, server #2,
only needs one interface, but the third, server #3, requires
two interfaces, one for the master wireless access point,
and one to connect to the switch connecting this machine
36 INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2007
to the rest of the network (appendix A). SSH login for root
was also disabled at this time for added security.
N Server #1 configuration
For server #1, very little setup was required. Since this
server works mainly as a router, the only major items that
went into its configuration were the iptables rules, which
are shown and described in appendix B.7 Rules were set
up to:
N set up network address translation;
N allow traffic to flow within the network;
N log the traffic from the wireless portion of the net-
work;
N
server; and
N set up port knocking before allowing users to log into
the router via SSH.8
A reference to this script was placed in the /etc/rc.d/
rc.local file so that it would run when the server boots.
Last was the setup of the three network interfaces in
the machine. This can be done during system installation
or afterwards on the Fedora Core based server by editing
the configuration files in the /etc/sysconfig/networking-
scripts/ directory. One of the configuration files used in
this implementation can be seen in appendix C. Of course
the configuration will change as the topology of the net-
work changes.
N Server #2 configuration
The second server required significantly more setup to
configure all of the necessary services that it runs. The
first service added for this implementation was the Web-
caching proxy server, Squid. Squid’s default configura-
tion file (/etc/squid.conf) is quite large; fortunately it
requires little modification to get a simple server up and
running.9 The changes made for this implementation can
be seen in appendix D. The most important lines in this
configuration are the last few, which enable it to act as a
transparent proxy server, making it invisible to the users
and requiring no setup of their browsers.
As there was no need for an authoritative DNS server,
just DNS caching for the network, dnsmasq, which is
easy to configure and can handle both DHCP services as
well as DNS caching, was chosen.10 In this instance, the
captive portal was used to provide DHCP services for the
wireless clients; however dnsmasq was used for dynamic
clients on the remaining portion of the network. Dnsmasq
is relatively easy to configure, requiring only one change
in its default configuration file, which points to the file in
which the DNS server addresses are stored, in this case
/etc/dnsmasq_resolv.conf.
Next is the configuration of FreeRADIUS server.
There are two files that need to be modified for the radius
server; both are in the /etc/raddb/ directory. The first is
clients.conf (appendix E). In this file at least two clients
must be listed, one for localhost (this machine) and one
for the captive portal machine. For each machine, a pass-
word must be specified as well as the hostname for that
machine. This establishes the shared key that is used to
encrypt communication between the captive portal and
the radius server. The second is the users file (appendix
F). In this file, each user for the captive portal system
must be listed with his/her password. This implementa-
tion also included a class, a session timeout (dhcp lease
time), idle timeout, accounting interim interval, and
the maximum upload and download speeds. If guest
access is required, one or several guest accounts should
be added to this file along with entries for the registered
users. An entry was added for each access point so that
they can obtain an IP address from the DHCP server.
Finally for this machine, the interface configuration file
was changed according to the network specifications. For
this machine the configuration is simple since it only has
one interface, and the only requirement for its address
is that it be on the same network as the interface on the
main router server to which it is connected.
N Server #3 configuration
The third server required the installation of the captive
portal software, in this case Chillispot. In order to install
Chillispot, if Fedora was used for the base system, it may
be possible to install it as a prepackaged binary in the
form an RPM package manager (rpm) file. Otherwise, if
you find that you need to compile Chillispot from source
code, you may need to deviate from a minimal installa-
tion of the operating system and base components and
also include the GNU compiler collection (gcc).
When installing from source code, first download the
code from the Chillispot Web site. Once the code is down-
loaded, unzipped and untarred, installing the Chillispot
daemon is done by entering the directory containing the
source files and entering the standard commands:
./configure
make
make install
When Chillispot is on the system, either by compiling
from source or through an rpm file, two more files must
PUBLIC LIBRARIES AND
OPEN
INTERNET
SOURCEACCESS
WIFI HOTSPOT
be configured and copied to the proper directory, the
main configuration file and the login file.
The configuration file, chilli.conf, is located in the
directory that contains the source files. Move this file to
the /etc/ directory and make the necessary changes. In
this implementation, the file required several changes
(appendix G). One of the more significant alterations was
to change the default network range of 192.168.182.0/24,
which would be limited to less than 256 addresses.
The address range was for the DHCP server was also
expanded to allow for more users. The lower portion of
the network range was left to make room for addresses
that could be assigned to the wireless access points. An
entry was added to allow the access points to obtain a
static IP address in that lower range.
After this, settings must be changed for the DNS
addresses given out to clients, and the address of the
radius server. There is also a setting in the Chillispot
configuration file that allows users to access a certain list
of domains without logging in. For this implementation,
the decision was to allow the users access to the campus
network, as well as to the DNS server. Next, the “radi-
ussecret” must be set. This is the same password that was
entered into the clients.conf file on the radius server for
this machine. It is also necessary to set the address of the
page to which users will be directed. Two lines must also
be added to allow authentication using the physical or
media access control (mac) address for the access points.
All of the access points shared a common password.
Chillispot passes the physical address of the access point
to the radius server along with this password. A separate
entry must exist in the radius configuration file for each
IP/physical address combination.
For this setup, the redirect page was placed on this
server, therefore Apache (using yum) was also installed,
and this server’s address was added as the Web address
for the redirect page (also note that the https module may
be required for apache if it does not automatically install).
Rather than write a new page at this time, the sample
page (hotspotlogin.cgi) from the Chillispot source folder
was copied and modified slightly (appendix H). In addi-
tion, a Secure Socket Layer (SSL) certificate was installed
on this server. This is not necessary, but it helps to avoid
the warnings that pop up when a client attempts to access
the login page with a browser.
A few iptables rules need to be added. The first com-
mand needs to be executed in order to utilize Network
Address Translation (NAT) and have the server forward
packets to the outside network.
/sbin/iptables -t nat -A POSTROUTING -o eth0 \
-j MASQUERADE
The next is used to drop all outbound traffic originating
from the access points. This prevents anyone spoofing
the physical address of the access point from accessing
| JAEGER,
IMPLEMENTATION
BERTOT, MCCLURE,
| SONDAG
AND RODRIGUEZ
AND FEHER 37
the Internet, while still allowing the access points and
the Chillispot server to communicate for configuration
and monitoring.
/sbin/iptables -A FORWARD -s 192.168.182.0/24 \
-j DROP
These commands need to be executed when the
Chillispot machine boots, so they were placed into the
/etc/rc.d/rc.local file. It may also be necessary to ensure
that the machine can forward network traffic. This can be
accomplished with the following command, which is also
found as the first executable command from the script in
appendix B:
echo “1” > /proc/sys/net/ipv4/ip_forward
Finally, the configuration files for the interfaces were
set up.
All of this is detailed in appendix J. A final set of com-
mands, which were needed for the WRT54GS, are included
to allow the access point to obtain its IP address from the
DHCP server. These commands may not be necessary
depending upon the type of access point used. Since extra
wireless access points are available, if an access point fails
or is having problems for some reason, it is simply a matter
of running a script similar to the one found in the appendix
on one of the extra routers and swapping it out.
N Security
Unfortunately this system is not very secure. Only the
login credentials are encrypted via SSL. General data
packets are in no way encrypted, so any information
being transmitted is available to anyone sniffing the
channel. WEP and WPA could be used for encryption,
but they have known vulnerabilities. Other methods exist

N OpenWrt installation and

configuration
for securing the network such as WPA with RADIUS or
the use of a Virtual Private Network, however the client
setup for such systems may not be considered trivial
Several ways exist to replace the default Linksys firmware
for the typical user. Therefore it was decided that it was
with the OpenWrt firmware.11 The tftp protocol can be
better to inform the users that the data was not being
used with both Windows and Linux, and one such method
encrypted and let them act accordingly, rather than use
can be found in Appendix I.12 In addition, other methods
encryption with known flaws or invest the time required
for using the standard Web interface can be found on
to train the general population on how to configure their
the OpenWrt Web site.13 There are several versions of the
mobile units to use a more secure form of encryption. As
OpenWrt firmware available; the newest version that uses
the main goal of this particular network was connectivity
the squashfs filesystem was chosen because it utilizes com-
and not security, it was felt that this was a fair trade-
pression that frees more space on the access point.
off. As new standards for wireless communication are
OpenWrt comes with a default Web interface that can
developed and commodity hardware that supports them
be used for configuration, however, ssh was enabled and
becomes available, this may change so that encrypted
a script using the nvram command was used to configure
channels can be employed more easily.
each access point (see appendix J). Before ssh can be used,
you must telnet into the router and change the default
password (which for Linksys routers is ‘admin’).
NOTE: Even if you decide to use the Web interface,
you should still change the default password.
N Conclusion
As several services that were installed with the
This implementation is in no way completed. It is a work
default configuration were not used in the implementa-
in progress, with many goals still in mind. Also, as new
tion, they were disabled once the firmware was flashed
features are desired, parts of the system will change to
by removing the modules that boot at startup: the Web
accommodate these requirements. Current plans for the
interface, dnsmasq, and the firewall. This is done by
future are first to develop scripts to check the status of the
deleting their entries in the /etc/init.d directory. Changes
access points and display this information to a Web page.
were needed to set the mode of the access point, to turn
These scripts will also notify network administrators
on and configure the clients needing to use WDS, to set
when access points go offline. This will help the adminis-
the network information for the access point and then
trators in making sure the system is up at all times. After
to save these settings. All of the wireless access points
this, scripts will be developed to parse the log files to find
that communicate with each other via a wireless connec-
abusive activity (spamming, viruses, etc). However, the
tion must have their physical addresses entered using a
current project as described is complete and has already
nvram command. For example, the command used for
functioned successfully for nearly a year providing con-
the main access point for the library would be:
nectivity for the library and portions of the McKendree
nvram set w10_wds=”MAC_4_lib1 MAC_4_lib2” College campus.

38 INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2007

References and Notes
1. OpenWrt, Wireless Freedom. www.openwrt.org (accessed
June 16, 2006).
2. The Fedora Project. www.fedora.redhat.com (accessed
Nov. 29, 2005).
3. Yum: Yellow dog Updater, Modified. www.linux.duke.
edu/projects/yum (accessed July 22 2006).
4. ChilliSpot—Open Source Wireless LAN Access Point
Controller. www.chillispot.org (accessed June 23, 2006).
5. Squid Web Proxy Cache. www.squid-cache.org (accessed
June 1, 2006).
6. FreeRADIUS—Building the Perfect RADIUS Server. www.
freeradius.org (accessed June 28, 2006).
7. Netfilter/iptables Project Homepage—The netfilter.org
Project. www.netfilter.org (accessed Aug. 8, 2006).
Appendix A. Network configuration
PUBLIC LIBRARIES AND
OPEN
INTERNET
SOURCEACCESS
WIFI HOTSPOT
8. Thomas Eastep, “Port Knocking and Other Uses of ‘Recent
Match.’” www.shorewall.net/PortKnocking.html (accessed
Aug. 11, 2006).
9. Squid Web Proxy Cache, “SQUID Frequently Asked
Questions: Interception Caching/Proxying.” www.squid-cache.
org/Doc/FAQ/FAQ-17.html (accessed Aug. 8, 2006).
10. Dnsmasq—A DNS Forwarder for NAT Firewalls. www.
thekelleys.org.uk/dnsmasq/doc.html (accessed June 1, 2006).
11. Linksys.com. www.linksys.com (accessed Dec. 15, 2005).
12. OpenWrtDocs/Installing/TFTP—OpenWrt. wiki.open-
wrt.org/OpenWrtDocs/Installing/TFTP?action=show&redirect
=OpenWrtViaTfp (accessed Aug. 2, 2006).
13. OpenWrtDocs/Installing—OpenWrt. wiki.openwrt.org/
OpenWrtDocs/Installing (accessed Aug. 2, 2006).
| JAEGER,
IMPLEMENTATION
BERTOT, MCCLURE,
| SONDAG
AND RODRIGUEZ
AND FEHER 39
Appendix B. iptables script—Server #1 iptables -A INPUT -p tcp --dport 1234 -m recent \
--name SSH --set -j DROP
# this particular bit must be set to one to allow the iptables -A INPUT -p tcp --dport 1235 -m recent \
# network to forward packets --name SSH --remove -j DROP
echo “1” > /proc/sys/net/ipv4/ip_forward
# drop all packets that do not match a rule above by default
# set up path to the internal network from Internet if the iptables -A INPUT -j DROP
# internal network initiated the connection
iptables -A FORWARD -i eth0 -o eth1 -d 10.4.0.0 \
-m state --state ESTABLISHED,RELATED -j ACCEPT
# Same for the Chillispot subnet Appendix C. Server configuration for first
iptables -A FORWARD -i eth0 -o eth2 -d 10.5.0.0 \
network card (ethernet 0)
-m state --state ESTABLISHED,RELATED -j ACCEPT
# /etc/sysconfing/networking-scripts/ifcfg-eth0 -
# allow the internal subnets to communicate with one another
# Server #1
iptables -A FORWARD -i eth1 -d 10.5.0.0 -o eth2 \
#
-j ACCEPT
DEVICE=eth0
iptables -A FORWARD -i eth2 -d 10.4.0.0 -o eth1 \
BOOTPROTO=static
-j ACCEPT
BROADCAST=66.128.109.63
HWADDR=00:11:22:33:44:66
# allow subnet containing server 2 to reach the Internet
IPADDR=66.128.109.60
iptables -A FORWARD -i eth1 -o eth0 -j ACCEPT
NETMASK=255.255.255.248
NETWORK=66.128.109.56
# Chillispot – accept and forward packets
ONBOOT=yes
iptables -A FORWARD -i eth2 -s 10.5.3.30 -j ACCEPT
TYPE=Ethernet
# Set up transparent proxy for wireless network, but allow
# connections that go through to the campus network
# to bypass proxy
iptables -t nat -A PREROUTING -i eth2 ! \ Appendix D. /etc/squid.conf—Server #2
-d 66.99.172.0/23 -p tcp --dport 80 -s 10.5.0.0/16 \
-j DNAT --to-destination 10.4.1.90:3128 #default squid port
http_port 3128
# nat
iptables -t nat -A POSTROUTING -o eth0 \ # settings changed to specify memory for squid
-j MASQUERADE cache_mem 32 MB
cachedir ufs /var/spool/squid 1000 16 256
# simple port knocking to allow port 22 connection adapted
# from www.shorewall.net/PortKnocking.html1 another # allow assess to squid for all within our network
# excellent document can be found at acl all src 0.0.0.0/0.0.0.0
# www.debian-administration.org/articles/26814 http_access allow all
# once connection started let it continue http_reply_access allow all
iptables -A INPUT -m state --state \
ESTABLISHED,RELATED -j ACCEPT # internal host with no externally known name so we put
# our internal host name
# if name SSH has been set, then allow connection visible_hostname hostname
iptables -A INPUT -p tcp --dport 22 -m recent \ # specifications needed for transparent proxy2
--rcheck --name SSH -j ACCEPT httpd_accel_port 80
httpd_accel_host virtual
# Surround the port that opens ssh so that a sequential port httpd_accel_with_proxy on
# scanners will end up closing it right after opening it. httpd_accel_uses_host_header on
iptables -A INPUT -p tcp --dport 1233 -m recent \
–-name SSH --remove -j DROP

40 INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2007

Appendix E. /etc/raddb/clients.conf— Appendix G. /etc/chilli.conf—Server #3
Server #2
# used to expand the network
client 127.0.0.1 { net 192.168.176.0/20
secret = password
shortname = localhost # used to expand the number of hosts that can connect
nastype = other # while still leaving a portion of the network for
} # infrastructure
client 10.5.3.30 { dynip 192.168.184.0/21
secret = password
shortname = other machine # used to give static addresses to the access points
} statip 192.168.182.0/24

# internal DNS followed by external DNS

dns1 10.4.1.90
dns2 24.217.0.3
Appendix F. /etc/raddb/users—Server #2
# radius server for the network
# example of an entry for a user
radiusserver1 10.4.1.90
joeuser Auth-Type:=Local, User-Password==”passwd”
radiusserver2 10.4.1.90
Class = 0702345678,
Session-Timeout = 3600,
# radius secret used
Idle-Timeout = 600,
radiussecret password
Acct-Interim-Interval = 60,
WISPr-Bandwidth-Max-Up = 128000,
# interface Chillispot server to listens to DHCP requests
WISPr-Bandwidth-Max-Down = 512000
dhcpif eth1

# specified default login page

# example of an entry for an access point
uamserver https://10.5.3.30/cgi-bin/hotspotlogin.cgi
# The physical/mac address listed below is for the
# lan side of the router/access point
# addresses that users can visit without authenticating
mac_address Auth-Type := Local, User-Password == “password”
uamallowed 10.4.1.90,24.217.0.3,66.99.172.0/24
Framed-IP-Address = 192.168.182.10,
Acct-Interim-Interval = 3600,
# this allows the access points to authenticate based on
Session-Timeout = 0,
# mac address only, this is required to log into the access
Idle-Timeout = 0
# points from the captive portal server
macauth

# this password corresponds with the password from the

# radius users file
macpasswd password

PUBLIC LIBRARIES AND

OPEN
INTERNET
SOURCEACCESS
WIFI HOTSPOT
| JAEGER,
IMPLEMENTATION
BERTOT, MCCLURE,
| SONDAG
AND RODRIGUEZ
AND FEHER 41
Appendix H. Redirection page

is available at: ftp://ftp.linksys.com/pub/network/

WRT54GS_3.37.2_US_code.zip
Appendix I. Method for flashing firmware N Download and unzip this file.
N Plug an Ethernet patch cable into link #1 on the router
of Linksys router (not the wan port) and the interface on your machine.
Set the IP address of your computer to a static IP
The firmware can be flashed using the built-in Web inter-
address in the 192.168.1.x range, not 192.168.1.1,
face or via tftp. While help is available online3 for this, the
which is used by the router.
procedure outlined here may also be helpful. On newer N Log into router by opening a browser window and
versions of the Linksys routers, an older version of the
putting 192.168.1.1 into the address bar. (NOTE: This
Linksys firmware must be installed first that supports a
is only for factory preset routers.)
bug in the ping function on the router. Once the older
Username: (leave blank)
version is installed, you can exploit a bug in the ping com-
Password: admin
mand on the router to enable “boot wait,” which enables N Click on "administration".
the router to accept a connection to flash its firmware as N Click on "Firmware upgrade".
it is booting. N Click "browse" and locate the old Linksys firmware
Detailed instructions for this installation are as fol-
on your machine.
lows: N Click "upgrade".
N Wait patiently while it flashes the firmware….
N First, download an old version of a Linksys firmware N Click "setup".
that supports the ping bug to enable boot wait. One N Click "basic setup".

42 INFORMATION TECHNOLOGY AND LIBRARIES | JUNE 2007

 N Choose "static ip" from the first box. ##192.168.182.21 lib02 00:11:22:33:44:33
N For the IP address put in "10.0.0.1". ##192.168.182.22 lib03 00:11:22:33:44:44
N For the netmask put in "255.0.0.0". ##192.168.182.30 car01 00:11:22:33:44:55
N For the gateway put in "10.0.0.2".
N You can leave everything else as their default set-
tings. ## SAME for all
N Choose save settings at the bottom of the page. nvram set wl0_mode=ap
N Click on "administration". nvram set wl0_ssid=McK_Wireless
N Click on "diagnostics". nvram set wl0_channel=9
N Click on "ping". nvram set lan_proto=dhcp

In the “address” box put the following commands in ## Sample configuration for a few access points.
one at a time and click on “ping”; ## Uncomment and run for the appropriate node.
if you see the message that the host was unreachable ## Make sure to
you have done something wrong. ## add a line for every access point you have.

;cp${IFS}*/*/nvram${IFS}/tmp/n ## UNIQUE for lib01

;*/n${IFS}set${IFS}boot_wait=on ## allow connections to/from lib02, and lib03
;*/n${IFS}commit #nvram set wl0_wds=”00:11:22:33:44:33
;*/n${IFS}show>tmp/ping.log 00:11:22:33:44:44”

N After the last command you will see a list of all the ## UNIQUE for lib02
nvram settings on the router, make sure that the line ## allow connections to/from lib01
for "boot_wait" is set to on #nvram set wl0_wds=”00:11:22:33:44:22”
N Unplug the router (the Linksys router will only look
for new firmware on boot). ## UNIQUE for lib03
N Use tftp on your Linux or Windows machine. ## allow connections to/from lib01
N If the openwrt0-wrt54gs-squashfs.bin file is not in #nvram set wl0_wds=”00:11:22:33:44:22”
this directory, copy the file to this directory
N Run the following commands at the prompt (below ## SAME for all
are the Linux commands) nvram commit

tftp 192.168.1.1 ## SAME for all

tftp> binary ## This needed to be done to allow each wrt54gs router
tftp> rexmt 1 ## to accept an IP address from a DHCP server. This is
tftp> timeout 60 ## only for the wrt54gs. Other access point/routers
tftp> trace ## may require something different.
tftp> put openwrt-xxx-x.x-xxx.bin # cd /etc/init.d
# rm S05nvram
N The router will now reboot (it may take a very long # cp /rom/etc/init.d/S05nvram .
time), when it is done rebooting, the DMZ light will # vi S05nvram
turn off ## place a # in front of (comment out)
## nvram set lan_proto=”static”
The new firmware is now loaded onto the router.

Appendix J. Nvram script for
wireless routers
## server information stored as comments
##192.168.182.10 mainap 00:11:22:33:44:00
##192.168.182.11 cl202a 00:11:22:33:44:11
##192.168.182.20 lib01 00:11:22:33:44:22
References
1. Thomas Eastep, “Port Knocking and Other Uses of ‘Recent
Match.’” www.shorewall.net/PortKnocking.html (accessed
Aug. 11, 2006)
2. Ibid.
3. OpenWrtDocs/Installing-OpenWrt, wiki.openwrt.org/
OpenWrtDocs/Installing (accessed Aug. 2, 2006).

PUBLIC LIBRARIES AND

OPEN
INTERNET
SOURCEACCESS
WIFI HOTSPOT
| JAEGER,
IMPLEMENTATION
BERTOT, MCCLURE,
| SONDAG
AND RODRIGUEZ
AND FEHER 43