Reference Design

From Stu2
Jump to navigation Jump to search

Reference Design Details

Each architecture pattern was designed and implemented using commercial, off the shelf components. The design validated the architecture and uncovered several areas of practical concern. Here are images of the design drawing and equipment.

Design Drawing

External View of the Netgate router

Internal View of the Netgate router

Hardware

The test model used PC Engine Wireless Router Appliance PCs (WRAP,) which are single board computers with a LAN connector, two radio slots, a serial connector and a compact flash card. Unlicensed radio bands were used.

The WRAP boards are mounted in a weather-proof enclosure and fed with an ethernet cable with power over ethernet. The enclosures have two antennas with 'N' connectors.

Compact Flash is used for storage. The test nodes had 256MB of space.

Firmware

Firmware provides the operating system and software programs for the PC. The reference design used pfSense firmware, which is web-based, free and uses m0n0wall code. (m0n0wall is a popular firewall firmware used in embedded computers.) pfSense provides wireless security (WPA-PSK) and OLSR routing. Voyage Linux was used to test WPA with 802.1x, but Voyage doesn't currently have a web user interface.

The firmware was loaded onto the compact flash cards using a USB read/writer. Initial configurations were done over the serial port and final configurations used a web interface.

Configurations

Internet Gateway - LAN+LAN

This provides connectivity to the outside world. I'm using a small WRAP board, but it could be anything as long as it does NAT and has a way to set up VPN tunneling. (Maybe a Juniper SSG?) If pfSense is used, the gateway can participate in the OLSR routing and propagate the default route.

Interface           Function  iface   Comment
outside IP address  WAN       sis1    Connection to the outside
192.168.2.254/24    LAN       sis0    Inside Connection

Setup the firewall rules and leave NAT in place.

Connecting the WRAP LAN Gateway to the first wireless Gateway Node required a cross-over ethernet cable.

Gateway Node - LAN+WLAN+Backhaul

Using a Null Modem cable, set the terminal program to 9600,n,8 and 1. (The WRAP starts at 38400, so you'll see some gibberish at first.) Once pfSense boots, you'll need to answer several questions. Make sis0 the LAN interface becuase it's the ethernet port and you'll need to connect via a web browser to finish the configuration. Unfortunately, you can only assign and IP address to the LAN port. This makes set up a little more difficult. It takes about a minute to boot because pfSense looks for an address via DHCP. Manually set the IP address to 192.168.1.1. After you assign the address, use a web browser to finish the configuration. (http://192.168.1.1)

Here's the goal:

Interface        Function  iface  Radio   Channel   Comments
192.168.1.0/24   LAN       ath0   #1 (L)  11b/g-1   802.11 b/g wireless local area network using WPA-PSK
192.168.2.0/24   WAN       sis0                     Ethernet Interface to the world
192.168.250.0/24 Link      ath1   #2 (R)  11a-40    802.11a link for other nodes (backhaul)

Summary

  • Assign the IP addresses - order matters!
  • Configure the LAN interface
  • Configure the network details
  • Test Connectivity
  • Configure the Security and test
  • Set up the backhaul

Steps: If you don't do these in order, you will not be able to connect to the node on the Ethernet segment.

1) Disable Firewall (System/Advanced) - disables NAT and turns off the firewall
2) Enable and assign IP addresses to OPT1 port. (192.168.3.1/24)
3) Assign IP addresses to WAN port. (192.168.2.254/24) - you will connect to this address after step 5.
4) Assign IP addresses to LAN port. (192.168.1.1/24) DON't APPLY
5) Assign Interfaces. WAN=sis0, LAN=ath0
6) Apply changes - Interface/LAN -> Apply Changes

Configure the LAN (wireless) interface:

1) Select 802.11g
2) Make this an Access Point
3) Set the SSID
4) Set the transmit power (max, 99, is probably OK)
5) Set the channel. (e.g. channel 11b/g - 1)

Configure the rest of the networking stuff

1) Set the DNS server (System/General Setup)
2) Change the admin password. (If you leave it alone for testing, come back!)
3) Set the DHCP Address pool (Services/DHCP Server)
      Enable DHCP
      Check the address pool (192.168.1.100-199)
      Configure a gateway address (192.168.1.1)

Test connectivity - the node should hand out and address and you should be able to ping the gateways. XP should be configured to get IP addresses automatically, open network, no encryption.

1) Check for a valid IP address (Run/CMD/ipconfig)
2) ping the node's wireless gateway (192.168.1.1)
3) ping the other side of the node. (LAN address)
4) ping the outgoing gateway. (LAN gateway)
5) ping using a canonical name. (e.g. www.google.com)

Configure the encryption on the wireless LAN port (WPA-PSK.)

1) Enable WPA (Interfaces/LAN)
2) Enter aPSK. (ASCII 8-63 characters) Make this as comlicated as possible.
3) Set WPA Mode to WPA
4) Set WPA Key Management to Pre Shared Key
5) Set Authentication to Open System Authentication
6) Set WPA Pairwise - AES
7) Save and Apply changes
8) Test connectivity

Set up the Windows XP client for WPA-PSK and enter the passphrase. (Under the Wireless Adapter Network Properties/Wireless tab.)

Setup the backhaul link:

1) Enable Optional 1 interfaces
2) IP Configuration - set IP address (192.168.250.1/24)
3) Set the Standard 802.11a
4) Set mode as access point
5) Set SSID
6) Set Power
7) Set Channel 11a-40
8) Test connectivity
9) Enable WPA (same as configuring encryption on the wireless LAN port above.)

Run connectivity tests and check for wireless associations in the status screen. (Associations only show up on the AP.)

LAN Backhaul Node - LAN+Backhaul

Unlike the gateway node, you should be able to keep the interface assignments the defaults. Follow the same general procedure for getting pfSense running for the first time. Then use a web browser to finish the configuration. Configure the LAN address to be 192.168.1.1.

Here's the goal:

Interface         Function  iface  Comments
192.168.10.0/24   LAN       sis0   Ethernet service LAN
192.168.250.0/24  WAN/Link  ath0   802.11a link to the gateway node (backhaul as client)

Summary

  • Configure basic network
  • Configure the backhaul
  • Finish configuring the network
  • Test connectivity
  • Configure the security and test

Configure basic networking. If you don't do these in order, you will not be able to connect to the node on the Ethernet segment.

1) Disable Firewall (System/Advanced) - disables NAT and turns off the firewall
2) Assign IP addresses to WAN port. (192.168.250.2/24) This is the backhaul link
3) Assign IP addresses to LAN port. (192.168.11.1/24) 
4) Save and apply

Configure the WAN (backhaul) interface:

1) Select 802.11a
2) Make this an AD-Hoc node
3) Set the SSID
4) Set the transmit power (max, 99, is probably OK)
5) Set the channel. (e.g. channel 11a - 40)
6) Uncheck - block Private Networks

Configure the rest of the networking stuff

1) Set the DNS server (System/General Setup)
2) Change the admin password. (If you leave it alone for testing, come back!)
3) Set the DHCP Address pool (Services/DHCP Server)
      Enable DHCP
      Check the address pool (192.168.11.100-199)
      Configure a gateway address (192.168.11.1)

Test connectivity - the node should hand out and address and you should be able to ping the gateways.

1) Check for a valid IP address (Run/CMD/ipconfig)
2) ping the node's wireless gateway (192.168.1.1)
3) ping the other side of the node. (LAN address)
4) ping the outgoing gateway. (LAN gateway)
5) ping using a canonical name. (e.g. www.google.com)

If the connectivity works, configure the encryption on the wireless WAN port as WPA-PSK.

1) Enable WPA (Interfaces/WAN)
2) Enter aPSK. (ASCII 8-63 characters) Make this as comlicated as possible.
3) Set WPA Mode to WPA
4) Set WPA Key Management to Pre Shared Key
5) Set Authentication to Open System Authentication
6) Set WPA Pairwise - AES
7) Save and Apply changes
8) Test connectivity - may take a minute or two to associate with the AP.

LAN Service Node - LAN+WLAN+Backhaul

This node provides wireless LAN services (802.11b/g,) a backhaul (802.11a) and an ethernet LAN. This aligns with the default configuration and naming conventions in pfSense, which makes this configuration much easier than the Gateway Node configuration. Follow the same general procedure for getting pfSense running for the first time. Assign the interfaces and give the LAN interface an IP address. Don't enable the DHCP server. Finish the configuration using a web browser.

Here's the goal:

Interface          Function  iface  Comments
192.168.20.254/24  LAN       sis0   Ethernet service LAN
192.168.250.3/24   WAN       ath0   802.11a link to the gateway node (backhaul as client)
192.168.21.254/24  OPT1      wi0    802.11g wireless LAN (Note - using Prism 2511 for test)

Summary

  • Configure basic network
  • Configure the backhaul
  • Finish configuring the network
  • Test connectivity
  • Configure the security and test


Configure the WAN (backhaul) interface:

1) Assign a static IP address. (No DHCP, 192.168.250.3/24)
2) Assign a default gateway. (192.168.250.1)
3) Select 802.11a
4) Make this an ad-hoc node
5) Set the SSID. Use the SSID of the backhaul mesh. (e.g. w7iy-2)
6) Set the transmit power (max, 99, is probably OK or use low power for close proximity testing)
7) Set the channel. (e.g. channel 11a - 40)
8) Uncheck - block private addresses
9) Save

Configure the OPT1 (WLAN) inteface. Note: For this test, we're using a 2511 radio, which is 802.11b only. It also DOES NOT support WPA2.

1) Enable the inteface
2) Assign a static IP address. (192.168.21.254/24)
3) Leave the gateway blank.
4) Select 802.11b (or G if using a CM9 radio)
5) Make this an Access Point
6) Set a unique SSID (e.g. w7iy-3)
7) Set the transmit power (max, 99, is probably OK)
8) Set the channel. (e.g. channel 11a - 40)
9) Save

Configure the rest of the networking stuff

1) Disable Firewall (System/Advanced) - disables NAT and turns off the firewall
2) Set the DNS server (System/General Setup)
3) Change the admin password. (If you leave it alone for testing, come back!)
4) Set the DHCP Address pool for the LAN and WAN ports. (Services/DHCP Server)
      Enable DHCP
      Check the address pool (192.168.20.100-199)
      Configure a gateway address (192.168.20.254)

Test connectivity - the node should hand out and address and you should be able to ping the gateways.

1) Make sure the compute has an IP address on the LAN subnet. (Run/CMD/ipconfig)
2) Ping the node's wireless gateway (e.g. 192.168.20.254)
3) Ping the other side of the node. (e.g. 192.168.250.3)
4) Ping the outgoing gateway. (e.g. 192.168.2.1)
5) Ping using a canonical name. (e.g. www.google.com)

Configure the security on the WAN (backhaul) inteface as WPA-PSK. Since the other running nodes have security enabled, security must be enabled on this node before it can connect.

1) Enable WPA (Interfaces/WAN)
2) Enter a PSK. (ASCII 8-63 characters) Must match the backhaul PSK.
3) Set WPA Mode to WPA
4) Set WPA Key Management to Pre Shared Key
5) Set Authentication to Open System Authentication
6) Set WPA Pairwise - AES
7) Save and Apply changes
8) Test connectivity - may take a minute or two to associate with the AP.

Optimized Link State Routing - OLSR

This is the routing protocol for a meshed network. The configuration file is located in /var/etc/oslr.conf and there are a few tricks to the configuration. The configuration screen is located under Services/OLSR. Here are the notes for configuring the daemon.

Summary

  • Configure the LAN gateway
  • Configure the Gateway node
  • Review the routes and test
  • Configure additional nodes
Enable OLSR	                 (checked)
Link Quality Level               (2)	
Interfaces	                 (Advertise routes on these interfaces)
Enable HTTPInfo Plugin	         (turn on the info web page)
HTTPInfo Port	                 (8080)
Allowed host(s)	                 (blank)
Allowed host(s) subnet	         (192.168.0.0 255.255.0.0)
Enable Dynamic Gateway           (checked - but hand loading the modules shows this plugin is broken)	
Announce self as Dynamic Gateway (checked for the Inet gateway only. Others, leave unchecked)	
Announce Dynamic local route	 (192.168.11.0 255.255.255.0  Advertise the directly connected networks. Separate nets with comma.)
Ping	                         (blank)
Poll	                         (blank)
Enable Secure Mode	         (unchecked)
Key	                         (blank)

A couple of key points:

  • Networks are specified as "networkIP netmask" for example "192.168.11.0 255.255.255.0"
  • Propagating default routes can be an issue. On the border wireless node, do the following: Uncheck 'Announce self as Dynamic Gateway.' Make sure the INET interface has a default gateway. (e.g. on the WAN interface). Advertise '0.0.0.0 0.0.0.0' to let the mesh know the gateway is the default route.
  • Check the routes in the routing table. Make sure there is a default route listed.
  • Use ping to check for connectivity.
  • Saving the OLSR configuration updates the config file and restarts the daemon.
  • It may require a reboot to recognize the local default route, if it was removed by a mistake during the OLSR configuration.
  • It's possible to SSH to the WRAP and manually run olsd to check for errors. (/usr/local/sbin/olsd -f /var/etc/olsr.conf)
  • Check the routes via the gui or via the OLSR httpinfo page. (e.g. :8080)
  • You can ssh into the box and run the daemon by hand to verify the config file was parsed correctly. If the config file is wrong, you can't tell if the daemon started from the web gui.
  • If the routes are propagating as expected, check the Filter Logs via SSH. Make sure the firewall is really turned off. I had to add rules to each interface (any->any) and then disable the rules all together