SDB:Wireless LANs with SuSE Linux
Version: 8.0
İçindekiler
Situation
You want to use a Wireless LAN PCMCIA, PCI, or USB card with SuSE Linux version 8.0 or higher.
Remark
The purpose of this support database article is merely to provide some guidelines on how to setup a wireless LAN with SuSE Linux. Some basic system knowledge is required. For example, how to execute commands as root user, how to start YaST, or what an IP address is. If you do not know this, maybe you should find out more about your SuSE Linux system before trying to setup a wireless LAN.
Basic Approach
Where to begin when setting up a wireless LAN under SuSE Linux? Basically, all you need is two wireless LAN cards, some system knowledge, and some time to understand the connections. Wireless LANs are often described as the networks of the future. However, this is only possible with a stable operating system, a good network stack, and a capable administrator.
Hardware
First make sure that the cards are supported by Linux. There are currently five possibilities to address wireless LAN cards: PCI, PCMCIA external, PCMCIA kernel, WLAN-NG, and USB. Depending on the card you want to use, you should find out first whether it is supported by Linux or not. For this purpose, refer to the project home pages of each option. A good overview is available at Wireless LAN resources for Linux If you cannot find information on your wireless LAN card in this page or via a search engine like google.com, you can contact our presales service at the e-mail address presales@suse.de. Most wireless LAN PCI and PCMCIA cards are supported by SuSE Linux. The reason is that there are "only" four big manufacturers of wireless LAN chipsets:
Most Lucent, Cisco, and Intersil cards work with the orinoco
module. This module is available for cards based on PCI and PCMCIA (both systems kernel/external). orinoco
is to be used for PCI-based cards and orinoco_cs
for PCMCIA-based cards. Atmel manufactures almost exclusively chips for USB cards.
Wireless
Networks operated via radio differ from normal wired networks only in the radio level. Thus, the first step consists of setting up the wireless extensions of the respective network cards and the second step, of performing an "ordinary" network setup.
All modules can be controlled with the tool iwconfig
, except for those from the WLAN-NG project. This tool is included in the package wireless-tools. SuSE Linux is ready for the deployment of wireless cards and the whole configuration can be performed with YaST. The only requirements are a supported card and the package wireless-tools.
There are different modes for wireless LANs:
- A wireless LAN may consist of two or more computers with wireless LAN cards that directly communicate with each other. This structure is called
ad-hoc
- Or it may also consist of a network with a central access point. An access point is an independent hardware component. All wireless LAN clients communicate through this access point and not directly with each other. This structure is called
managed
- A wireless LAN may consist of two or more computers with wireless LAN cards that directly communicate with each other. This structure is called
In addition, access points offer the possibility to connect the wireless LAN to an existing wired network. Sometimes additional functions such as an integrated DSL router are included, too.
Basically, you must only set two things to operate a wireless LAN: Your wireless LAN needs its own code, the ESSID
and, depending on if an access point is available or not, one of both modes ad-hoc
or managed
. Both options can be comfortably set with YaST.
Security tip: Radio waves cannot be controlled and blocked as easily as wires. Therefore, please bear in mind that you are always exposed to "tapping".
Network
The wireless extensions must run before you try to configure the network based on these extensions. Apart from this, the wireless network does not differ from a wired network. You can run everything as you would in a normal network. Network cards have ordinary Ethernet names like eth0, and can also be normally addressed with tools like ifconfig
or ip
. Services like DHCP or similar can also be used.
The only requirement is that the wireless extensions must be configured.
Detailed Setup
If you have basically understood how a wireless LAN works, you can proceed to setup the SuSE Linux system.
Hardware
PCI:
If you know the right module for your card, you will find it very easy to attach a PCI card. First use the command modprobe
to test if the module can be loaded.
modprobe module
If the module can be loaded and the cards are visible with ifconfig
and iwconfig
, you can easily set them up with YaST. To do this, launch the YaST network card module. Your card is unlikely to be automatically detected. Thus, select the entry "Other (not detected)". In the next mask, you can enter the corresponding module and configure all wireless-relevant options. That's all regarding the setup of PCI cards.
In the background, YaST creates an entry in the file /etc/modules.conf
defining what module is responsible for the first Ethernet device and notifies it to the kernel with (depmod -a
).
alias eth0 modul
This is all you need to define the hardware settings for PCI cards on a permanent basis.
PCMCIA:
The PCMCIA system in SuSE Linux detects virtually all wireless LAN cards. All you have to do is insert the card in a PCMCIA slot and the corresponding module will be automatically loaded. Simply insert the card and observe the messages in the file /var/log/messages
. The command tail
will prove very helpful for this purpose.
tail -f /var/log/messages
As an alternative, once the card has been inserted you can also use the command lsmod
to see all the loaded modules. If the module has been successfully loaded and the cards are visible with ifconfig
and iwconfig
, you can easily set them up with YaST. To do this, launch the YaST network cards module. Your card is unlikely to be automatically detected. Thus, select the entry "Other (not detected)". In the next mask, select simply PCMCI and configure all wireless-relevant options. That's all regarding the setup of PCMCIA cards
WLAN-NG:
Intersil cards with Prism chipsets can use modules from the WLAN-NG project. The interfaces of these modules are completely different. Thus, the tools for "normal" kernel modules such as iwconfig
do not work in this case. WLAN-NG has its own tools like wlancfg
or wlanctl-ng
. However, YaST setup is designed for the use of iwconfig for a simple reason: all cards with a Prism(2) chipset also work with the orinoco module. Therefore, if you want to operate a card with the WLAN-NG modules, you must perform the configuration manually. For this purpose, refer to the WLAN-NG-README.
USB:
Proceed exactly as for PCMCIA cards. Verify if the right drivers are automatically loaded and setup the card by way of YaST. Simply select the module USB in YaST.
Wireless
An ESSID is absolutely necessary for a wireless LAN. Radio traffic takes place on a few frequencies only. Therefore, the multiple existing networks must be separated from each other. This is done through the ESSID, which resembles the name of a network. If you want to participate in an existing wireless LAN, you need to know its ESSID. If, on the other hand, you want to setup a wireless LAN, its ESSID must be carefully selected. Note: Those access points that broadcast ESSID represent an exception. In these cases, it is enough to set the ESSID as "any" and the card will adopt the first ESSID to be found. The following is a typical output of iwconfig:
eth0 IEEE 802.11-DS ESSID:"my.wlan" Nickname:"wlan1" Mode:Managed Frequency:2.447GHz Access Point: 4D:33:56:D5:6F:73 Bit Rate:2Mb/s Tx-Power=15 dBm Sensitivity:1/3 Retry min limit:8 RTS thr:off Fragment thr:off Encryption key:off Power Management:off Link Quality:68/92 Signal level:134/153 Noise level:20/153 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
You can see the used ESSID
"my.wlan" and the used mode
managed, along with additional information.
- Nickname: Nickname of the card/computer. Not to be confused with the host name.
- Frequency: Frequency on which the network is broadcasting.
- Access Point: The Ethernet hardware address of the access point currently in use.
- Bit Rate: Speed of the existing wireless LAN.
- Encryption key: The used encryption key.
- Link Quality: Quality of the connection to the access point.
- Noise Level: Number of interferences in the radio traffic.
ESSID, mode, nickname, and encryption key can be set with YaST2, which writes these settings to the file /etc/sysconfig/network/ifcfg-<hardware>-<number>
. For the first PCMCIA card, this stands for the file:
/etc/sysconfig/network/ifcfg-eth-pcmcia-0
For PCI cards:
/etc/sysconfig/network/ifcfg-eth0
These settings will be stored as variables and be read by the system. There are also additional variables which cannot be set using YaST. A complete overview is available in the file:
/etc/sysconfig/network/wireless
Here you can define unusual settings, such as the frequency on which the card broadcasts. You will usually need only the options that can be configured in YaST. The ESSID
and the mode
are absolutely necessary. The link quality
shows you whether you have a connection to another wireless LAN card or to an access point.
Network
To connect two wireless LAN computers in ad-hoc mode, you only have to set the wireless extensions of both machines to the same values and to assign IP addresses from the same subnet to the cards, preferably from a 192.168.x.x network, in the YaST network card module. To do this, select "Static address setup" and enter 192.168.0.1 for one computer and 192.168.0.2 for the other. The default value 255.255.255.0 for the subnet mask can remain unchanged, as well as the computer name and the routing. After having done this for both wireless LAN clients and having checked that the radio connection between the computers works, both machines can ping each other. The procedure is the same if you use access points except for the mode, which must be changed in the wireless settings. YaST writes the network configuration along with the wireless configuration in the corresponding ifcfg file. In our example, the content of this file is:
BOOTPROTO='static' BROADCAST='192.168.0.255' DHCLIENT_SET_DOWN_LINK='yes' IPADDR='192.168.0.1' NETMASK='255.255.255.0' NETWORK='192.168.0.0' REMOTE_IPADDR='' STARTMODE='hotplug' UNIQUE='' WIRELESS='yes' WIRELESS_ESSID='my.wlan' WIRELESS_KEY='' WIRELESS_MODE='Ad-Hoc' WIRELESS_NICK='wlan1' WIRELESS_NWID=''
The file can also be directly edited and the card restarted with ifdown
/ifup
. Regarding the network configuration, there are more variables than those that can be configured with YaST. Please refer to ifup
's man page and to the file:
/etc/sysconfig/network/ifcfg.template
Troubleshooting
If your wireless LAN does not run smoothly, you might find the cause among the following ones. As compared to an "ordinary" network, a wireless LAN also includes an additional level: the radio level. This means, there are again three areas where you can search for the problem.
Hardware
Note: It would be impossible to cover all problems that may arise in connection to the hardware. Therefore, we will focus on wireless LAN-specific problems.
We have extracted all known cards with Prism(2) chipsets from the WLAN-NG system. However, we might still have an unknown card for which a WLAN-NG module is loaded by the PCMCIA system. This module can be one of the following: prism2_cs, prism2_pci, prism2_plx
. In addition, the network device is called wlan0
instead of eth0
. This can be avoided by informing the PCMCIA system that the orinoco module must be loaded for this card instead of one of the WLAN-NG modules.
First find out the card ID with the command
cardctl ident
A sample output:
Socket 0: product info: "D-Link DRC-650 11Mbps WLAN Card", "Version 01.02", "" manfid: 0x028a, 0x0002 function: 7 (wlan-ng)
Now search for manfid
, the card code, in the file /etc/pcmcia/wlan-ng.conf
and disable everything related to the output of cardctl ident
by using the comment sign. Then create a new entry for your card in the file /etc/pcmcia/conf
. For this purpose, search for the other entries related to the orinoco modules and append the new entry to them. In our example:
card "D-Link DRC-650" manfid 0x028a, 0x0002 bind "orinoco_cs"
Finally restart the PCMCIA system with rcpcmcia restart
. The right module will be loaded and the card can be setup with YaST.
Wireless
There are many interference sources for the reception in a wireless LAN like, for example, microwaves and TV sets. If anything does not work, always check the noise level
and the link quality
before looking into your hardware or network settings. The WEP encryption might be another possible error source.
Network
All the problems that may appear in a wired network can also arise in a wireless LAN. We recommend you to read the Linux Networking HOWTO
Security
Since wireless LANs are per se insecure networks, we provide you with some tips to make your wireless LAN more secure. Security problems depend on the protocol, encryption method, and the structure.
Packet filter
The first step when connecting a network device to an unsecure network is to make sure that everything that comes into the system through this device is filtered. A packet filter such as SuSEfirewall2 can be used for this purpose. This does not protect against the packets transmitted through the wireless LAN, but against potential attackers already on the wireless LAN (e.g. after having guessed your ESSID).
WEP encryption
WEP (Wired Equivalent Privacy) keys should always be used for wireless LANs. This is an encryption method especially developed for wireless LANs that uses keys 128bit or 64bit long (actually only 104bit or 40bit) to encrypt the whole radio traffic. However, this method is no longer secure. Nevertheless, it should be the first measure to be implemented in order to isolate the people from your wireless LAN who cannot compile airsnort ;-) But this is not enough to secure your wireless LAN.
SSH tunnel
SSH tunnels are the next useful method that should be implemented in wireless LANs. For a detailed description, refer to the O'Reilly wireless LAN pages
IPsec with Freeswan
To avoid having hundreds of tunnels for all the services you want to use via your wireless LAN, you can deploy a VPN (Virtual Private LAN). As a result, the whole network traffic on the wireless LAN is encrypted. SuSE Linux includes the free IPsec/VPN implementation freeswan. For installation purposes, please refer to the included documentation. Its main disadvantage is that the configuration must be performed on each of the existing wireless LAN clients.
Auth systems
Since wireless LANs are often used by public organizations, the auth systems make sure that only authorized users have access to the services provided through the wireless LAN. NoCat is a completely Linux-based auth system.
<keyword>wlan,pcmcia,wavelan,radio,prism_2,orinoco,ap,card,ifup,iwconfig,wireless</keyword>