Saturday, August 11, 2012

Raspberry Pi as a Router

Raspberry Pis have started making there way into homes all across the world. When I got mine, the first thing I wanted to do was set it up as a router to replace my aging piece of D-link garbage.


This guide is somewhat geared towards those new to Linux so experienced users can feel free to skip around a bit and modify some of my commands.

The first step is to download and install Raspbian onto your SD card. You could just as easily use Debian, but Raspbian is preferred because it's optimized for the Pi. I'm using the Darkbasic minimal image because there's really no use for a GUI on a router and it would just hog resources but you can decide what flavor you like best.

I won't tell you how to install Raspbian because there's plenty of guides on the Raspbian site that explain it way better than I ever could.

From my experience, the Raspbian images you can download contain older versions of the Raspberry Pi firmware which is a problem because the kernel is not compiled with iptables support. Hexxeh to the rescue! The easiest way to install the new firmware is to use Hexxeh's rpi-updater which is available here with instructions as to how to install it. Remember to install ca-certificates before you wget the updater.

sudo apt-get update && sudo apt-get install ca-certificates

If I remember correctly, the script has one more dependency, but it will tell you what it is and it's available in the repositories and you can just apt-get it.

After your firmware has been updated, reboot the pi to activate it.

Here's where the fun begins, but first a bit of logic regarding my setup. As is shown in my video, the on-board NIC of the pi (eth0) is connected to the internet via my cable modem. My USB-NIC (eth1) is connected to my internal network, specifically in my case a wireless access point, but you could just as easily connect a switch if you need more wired ports.

As you can see in the video, I am using an apple branded USB-NIC because it's what I had lying around, but this is not a necessity. Debian has good support for lots of USB-NICs and in most cases they'll be recognized when you plug them in without any additional configuration.

The first step is to edit /etc/network/interfaces.

sudo nano /etc/network/interfaces

We want the internet facing NIC to get an address from our ISP via DHCP and our internal NIC to have a static address. I am using 192.168.50.0/24 as my internal subnet but you can use any subnet you like as long as it is RFC 1918 compliant. Keep in mind a /24 (255 addresses) is most always big enough for a home network.

Here is what my /etc/network/interfaces file looks like. If you decide to change the internal subnet, you'll need to edit my addresses to suit your setup.

# interfaces(5) file used by ifup(8) and ifdown(8)

auto lo
iface lo inet loopback

#Onboard NIC connecting to the Internet
auto eth0
iface eth0 inet dhcp

#USB NIC serving as internal gateway
auto eth1
iface eth1 inet static
address 192.168.50.1
netmask 255.255.255.0
network 192.168.50.0
broadcast 192.168.50.255
gateway 192.168.50.1
Save the file and restart networking (or reboot).

sudo /etc/init.d/networking restart

Next we need to install the DHCP server package on our Pi so we can allocate addresses to clients.

sudo apt-get install isc-dhcp-server

Now let's edit the DHCP server configuration file.

sudo nano /etc/dhcp/dhcpd.conf

The configuration files provides a lot of examples that are all commented out. Feel free to read them if you care to. Since this should be the only DHCP server on our network, let's make it authoritative. Uncomment out the authoratative line near the top of the file.

# If this DHCP server is the official DHCP server for the local
# network, the authoritative directive should be uncommented.
authoritative;

Next, lets add a new subnet. Scroll down to the bottom of the file and add something like this:

subnet 192.168.50.0 netmask 255.255.255.0 {
range 192.168.50.10 192.168.50.250;
option broadcast-address 192.168.50.255;
option routers 192.168.50.1;
default-lease-time 600;
max-lease-time 7200;
option domain-name "local";
option domain-name-servers 8.8.8.8, 8.8.4.4;
}

Again, this is assuming a 192.168.50.0/24 subnet. You'll need to change it if you've chosen a different subnet.

You'll also notice I'm using the Google public DNS servers, 8.8.8.8 and 8.8.4.4. If you prefer to use the DNS servers provided by your ISP, you'll need to change this line to reflect their addresses.

Save the file and restart the DHCP service.
sudo /etc/init.d/isc-dhcp-server restart
You should recieve two ok messages.

[ ok ] Stopping ISC DHCP server: dhcpd.
[ ok ] Starting ISC DHCP server: dhcpd.

If you receive an error about no interfaces being in the proper address space double check your configurations and make sure your static address on eth1 is in the same subnet as your DHCP subnet. if you need to make any changes you'll need to restart the relevant services.

At this point you should be able to plug a device into the USB NIC (eth1) interface of your pi and receive an IP address via dhcp. However, you won't be able to get any further on the network than your Pi itself. To solve this, we need to enable IP forwarding.

Guides I read said I needed to do one or the other of the following things, however, I had to do both. First run the following command:

sudo echo 1 > /proc/sys/net/ipv4/ip_forward

Next edit /etc/sysctl.conf and uncomment out the line that says net.ipv4.ip_forward = 1.

sudo nano /etc/sysctl.conf

# Uncomment the next line to enable packet forwarding for IPv4
net.ipv4.ip_forward=1

Save the file.

The final step is to insert an iptables rule to allow NAT.

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

Time for final testing. Plug a computer into the eth1 interface on your pi and plug the onboard NIC into your modem.

After the negotiation phase, your computer will pull an address and you should be able to access the internet! if it doesn't work, ssh to the Pi by using the address you gave eth1 (192.168.50.1 in my case) and ensure that eth0 has a public address by running ifconfig.

sudo ifconfig -a
eth0      Link encap:Ethernet  HWaddr b8:27:eb:e8:4a:fe  
          inet addr:68.229.57.30  Bcast:68.229.51.255  Mask:255.255.255.0
          inet6 addr: fe80::ba27:ebff:fee8:4afe/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1851717 errors:0 dropped:0 overruns:0 frame:0
          TX packets:680737 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1493496473 (1.3 GiB)  TX bytes:131062180 (124.9 MiB)

eth1      Link encap:Ethernet  HWaddr 40:3c:fc:00:74:b0  
          inet addr:192.168.50.1  Bcast:192.168.50.255  Mask:255.255.255.0
          inet6 addr: fe80::423c:fcff:fe00:74b0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:675292 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1052136 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:116080201 (110.7 MiB)  TX bytes:1474222354 (1.3 GiB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:2 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:152 (152.0 B)  TX bytes:152 (152.0 B)
If your eth0 still shows a private address it probably didn't renew when you moved it to your modem. Fix this by running:

sudo ifdown eth0 && sudo ifup eth0

Check your IP address by running ifconfig again and see if you can reach the internet. You may need to reboot your modem, however do not reboot your Pi for the reasons that are to follow.

If it's still not working, stop here and go back and make sure you've not missed any steps.

You should not reboot your Pi at this point because the iptables rules for nat we inserted earlier are not persistent and if you reboot they will be overridden by the default configuration (nothing). We can fix this by saving the rules and creating a little script to restore them as the network interfaces come up during boot.

First, save your iptables rules to a file.

sudo iptables-save > /etc/iptables.up.rules

You don't have to save them to /etc/iptables.up.rules, that's just where I save mine.

Next create a script in /etc/network/if-pre-up.d/ with the following contents:

sudo nano /etc/network/if-pre-up.d/iptables
#!/bin/sh
#This script restores iptables upon reboot

iptables-restore < /etc/iptables.up.rules

exit 0

Change ownership and permissions of the script so it will run at boot.

sudo chown root:root /etc/network/if-pre-up.d/iptables && sudo chmod +x /etc/network/if-pre-up.d/iptables && sudo chmod 755 /etc/network/if-pre-up.d/iptables

Voila. You can now reboot and your iptables rules will stay persistent.

For some additional security, lets add some more iptables rules:

sudo iptables -A INPUT -s 192.168.0.0/24 -i eth0 -j DROP
sudo iptables -A INPUT -s 10.0.0.0/8 -i eth0 -j DROP
sudo iptables -A INPUT -s 172.16.0.0/12 -i eth0 -j DROP
sudo iptables -A INPUT -s 224.0.0.0/4 -i eth0 -j DROP
sudo iptables -A INPUT -s 240.0.0.0/5 -i eth0 -j DROP
sudo iptables -A INPUT -s 127.0.0.0/8 -i eth0 -j DROP
sudo iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j DROP
sudo iptables -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8 -j DROP

This blocks access from RFC 1918 subnets on your internet (eth0) interface as well as ICMP (ping) packets and ssh connections.

Remember to save whenever you make changes!

sudo iptables-save > /etc/iptables.up.rules

If you want to see how many packets your firewall is blocking, run this command:

iptables -L -n -v

Chain INPUT (policy ACCEPT 215 packets, 23539 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  eth0   *       192.168.0.0/24       0.0.0.0/0           
  126 34570 DROP       all  --  eth0   *       10.0.0.0/8           0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       172.16.0.0/12        0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       224.0.0.0/4          0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       240.0.0.0/5          0.0.0.0/0           
    0     0 DROP       all  --  eth0   *       127.0.0.0/8          0.0.0.0/0           
    0     0 DROP       tcp  --  eth0   *       0.0.0.0/0            0.0.0.0/0            tcp dpt:22
    0     0 DROP       icmp --  eth0   *       0.0.0.0/0            0.0.0.0/0            icmptype 8
    0     0 DROP       all  --  eth0   *       192.168.0.0/24       0.0.0.0/0           

Chain FORWARD (policy ACCEPT 15696 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         

Chain OUTPUT (policy ACCEPT 191 packets, 25875 bytes)
 pkts bytes target     prot opt in     out     source               destination  

At this point, you should have a fully functional router that has extremely low power usage and some basic security.

In the future, I plan to add a switch to my network and add some 802.1q trunks to my USB Nic so I can have multiple LANs, but that's a different article.

Thursday, November 3, 2011

How to Automatically Start Transmission Torrent Client on Ubuntu 11.10

I like to seed the current Ubuntu image on my computer, but remembering to start transmission every time I log in is a hassle. Here's how to start transmission automatically every time you log in to your user account on Ubuntu 11.10 (or other Ubuntu versions).

Open your Startup Applications window:


Click the add button:


Fill in the following:

You can change the name and comment to your liking. The -m in the command means transmission will start minimized, remove it if you want it to start visible.

Click the add button and you'll get the nice transmission indicator in the notification toolbar next time you restart.







Sunday, September 11, 2011

People Like Me Don't Trust Public Wifi Because of People Like Me

Let's face it, there are a myriad of ways for someone to intercept data sent over unencrypted wireless networks. Any 13 year old kid with access to google and enough luck to have a laptop with a compatible wireless chip can steal your packets and possibly intercept sensitive data.

One easy way to help prevent this is to set up a socks proxy when you use public wireless networks.

All you'll need is a publicly accessible computer running openssh and a laptop or other device with ssh installed.

The process is much the same as you would use ssh normally, with the addition of the -D switch and a port number. Open a terminal or command prompt and run this command:

 ssh -D 9999 [username]@[openssh host] 

When 9999 is the port number the socks proxy will run on,
[username] is your username on the openssh host and
[openssh host] is the ip address or domain name of the openssh host.

Then open your browsers proxy settings and set up a socks proxy on port 9999 and a host of 127.0.0.1

*The above image if from chromium browser which uses the system proxy settings. Other browsers will handle proxy settings differently.

Voila, encrypted traffic over public wifi.



Saturday, August 6, 2011

Updating IOS on a Cisco Wireless Access Point

Cisco's IOS is a feature rich piece of software that powers nearly every Cisco device. From time to time, Cisco updates their software to enable new features, improve performance or fix security issues. Unless you have a specific reason not to be running the latest version of IOS, it is generally a good practice to keep you devices updated.

Today, I will be detailing the process required to update the IOS software on a Cisco wireless access point.

There are two methods that can be used to accomplish this process: Using the CLI (command line interface) or using the web interface. Though I will detail both methods, I would highly recommend using the CLI as I have had a 100% success rate using this method. Whereas with the web interface, not so much...

Step 1: Get the latest version of IOS for your device

This is arguably the hardest part since Cisco's website isn't the easiest to navigate. Note: To continue any further, you'll need to log in with your cisco.com account. I also believe you need a valid Cisco service contract in order to be entitled to download any IOS software releases.

Click the Support tab at the top of the page, and search for the general model number of your device. I have a 1231AG AP, so I'll search '1231'.

It should return a few results related to your product. I'll select the Aironet 1230 AG Series.

It'll give a big list of all the products in that category. I'll click the 1230AG AP category on the right hand side.

It'll take you to a download page with all the different software available for your product. In this case, let's select 'IOS Software'.

Finally, we'll arrive at the IOS download page. Download the latest version or whatever specific version you wish to upgrade to. I'll be updating to 12.3(8)JEE.



Step 2: Upgrade!

Method 1: Updating via the Command line is a little more complicated than using the web GUI, but I've had much better success this way. In order to preform the update, you'll need a TFTP server somewhere on your network. See Installing a TFTP server on Ubuntu 11.04 or Installing a TFTP server on a windows computer.

After you've got TFTP up and running, copy the IOS file you downloaded in the previous step into your TFTP server directory. Do not rename the file when copying it.

Next, SSH, Telnet, or console into your AP. If using SSH or Telnet, it's probably wise to be on a wired network for the remainder on the upgrade.

Once you've logged in, run the following command:

archive download-sw /overwrite /reload tftp: //[location]/[image-name]

My Tftp server is located at 192.168.0.100 and the image I am upgrading to is c1200-k9w7-tar.123-8.JEE.tar. So the specific command I would use is:

archive download-sw /overwrite /reload tftp: //192.168.0.100/c1200-k9w7-tar.123-8.JEE.tar

The AP will output some code as it gets the file from TFTP and proceeds to install the new version. Once it is complete, the AP will reload and the upgrade process is complete.


Method 2: Using the web GUI doesn't require you to enter any commands or use a TFTP server, though you still can if you want the practical experience. Migrate to the IP address of your AP in a browser and log in using your username and password.

Migrate to the "System Software" tab on the left hand menu, and then the software upgrade tab.


You'll see a screen looking very close to the following. If you choose not to set up a TFTP server, browse to the location of the file and click 'update.' If you do have a TFTP server, migrate to the TFTP server tab on the top of the page and fill in the IP address and the name of the image much like you would if using the CLI. After clicking update, a small window should pop up indicating the status of the upgrade.


With any luck, the process will complete and you'll have a properly updated AP.

Installing a TFTP Server on a Windows Computer

Though I'm a huge advocate of linux operating systems, I realize not everyone is in a position to make the switch. As thus, today I will be detailing how to set up a TFTP server on a Microsoft Windows based computer. This guide serves as an accompaniment to my guide to updating Cisco IOS software. Please note, there are undoubtedly a variety of ways to set up a windows TFTP server, I just found this way to be the easiest.

I used a Windows XP box (technically a virtual machine, but the process is the same on a dedicated Windows computer) for my install, but the process should be more or less the same on all versions of Windows.

First, download the tftpd32 program from http://tftpd32.jounin.net/tftpd32_download.html. This is a nice little open-source TFTP server for windows.
I chose the installer version, but if you prefer to download the smaller zip version, it's the same thing once you extract the zip archive.

Next, begin the installer by opening the .exe file. You'll get a license agreement, etc, etc. Continue to click next until the process completes.

The program is located is Start > All Programs > tftpd32 > tftpd32.exe

The first time you start the TFTP server, windows firewall should pop up. Click unblock to allow tftpd32 to work.

VoilĂ ! You're finished.

Either copy the files you wish to serve via TFTP to C:\Program Files\Tftpd32 or browse to a different directory of your choosing. Just point the TFTP client at the address listed in 'server interfaces' and your TFTP server is up and running.

Saturday, July 16, 2011

Installing a TFTP Server on Ubuntu 11.04

TFTP has a variety of uses in the networking world due to its simplicity and ease of use. This guide serves as an accompaniment to my guide to updating Cisco IOS on a wireless access point. Just note there are a multitude of ways to set up a TFTP server on linux, I just found this way to be the easiest.

Guide originally posted here: TuxCoder

I preformed this install on a server running Ubuntu 11.04. All commands should be executed by the root user or by using sudo.

First, install the needed TFTP packages.

sudo apt-get update && sudo apt-get install tftp-hpa tftpd-hpa

The default location for for TFTP files is /var/lib/tftpboot. You can set a different location later if you'd like, but you must chmod and chown the directory you choose.

sudo mkdir /var/lib/tftpboot
sudo chown nobody.nogroup /var/lib/tftpboot
sudo chmod 777 /var/lib/tftpboot

Edit the TFTP server configuration file to put the service in daemon mode and set a custom directory you may have chosen above.

sudo nano /etc/default/tftpd-hpa

Edit the file to your liking.

#Defaults for tftpd-hpa
RUN_DAEMON="yes"
OPTIONS="-l -s /var/lib/tftpboot"

Start the TFTP server.

sudo /etc/init.d/tftpd-hpa start

To ensure the service started, run this command:

netstat -a |grep tftp

The Output should look something like this:

$ netstat -a | grep tftp
udp 0 0 *:tftp *:*
Copy any files you need to share over TFTP to /var/lib/tftpboot or the directory you chose and you're good to go!

Saturday, July 2, 2011

Enterprise Grade Wireless at Home

Faced with poor signal strength, I recently decided to replace my SOHO (small office/home office) wireless router with an enterprise grade solution.

Meet my new Cisco Aironet 1231 access point. Today I will be explaining the steps required to get a Cisco access point up and running in your home.

Step 1: Purchasing

Deciding what to look for is important. The 1231 I purchased is not the newest AP Cisco has created, but it suits my needs perfectly and it was cheap. If you're looking for something newer, try a Cisco 1241 series wireless access point. You can always compare features on Cisco's website to determine if what you're buying is what you need.

I absolutely recommend looking for APs on Ebay. I bought mine for $18 (less $11 shipping) on Ebay. Companies that are updating to the newest gear often sell their old stuff to Ebay wholesalers for next to nothing, passing the low prices on to you. Alternatively, there are plenty of other Cisco resellers on the web, search Google if this is the route you want to go.

When deciding what AP to purchase, the model number is absolutely the most important part of the decision. Cisco has two types of APs, autonomous and lightweight.

Lightweight APs

Lightweight APs will have a model number starting with:

air-lapxxxx
or
air-capxxxx (on the newest models)

where 'xxxx' is the series of the AP. For example, a lightweight 1231 series AP would have a model number starting with air-lap1231. You do not want to buy an AP with a model number like this.

Autonomous APs

Autonomous APs will have a model number starting with

air-apxxxx

where again 'xxxx' is the series of the AP. An autonomous 1231 series AP (like mine!) would have a model number starting with air-ap1231. You do want to buy an AP with a model number like this.

What's The Difference?

Autonomous APs are designed to work as a standalone unit. The configuration for the AP is stored on the AP and each AP is configured separately.

Lightweight APs are designed to work in what is called a WLAN group. Lightweight APs do not store their configuration locally; instead they connect to a Cisco WLAN controller to receive their configuration. Lightweight APs are useful in situations where a multitude of APs are going to be deployed and going through and configuring each one independently is just not feasible. For example, the organization I work for has nearly 1000 APs throughout our campus. We have 8 WLAN controllers to handle all these APs. Managing all 1000 APs and making sure the configuration for each is the same would be a nearly impossible task. Adding additional coverage would also be a nightmare.

In an at home scenario you're likely to have one, maybe two APs tops. This coupled with the fact that even a small controller for only a few APs costs upwards of $1500 (the ones we use at work cost $40,000 each) makes autonomous APs the way to go unless you literally have money to throw away.

If for some reason in the future your wireless installation expands to the point where lightweight APs become a consideration, you can convert autonomous APs to lightweight mode. You can not convert lightweight APs to autonomous mode.

Other Model Number Considerations

The autonomous/lightweight designation is only the first part of a model number. The full model number of my AP is air-ap1231g-A-K9. The 'g' designation means that it supports the 802.11g wireless standard. if the model number was air-ap1231b-A-K9 it would mean that the AP only supported the 802.11b standard. The newest APs will have something like air-apxxxxn-A-K9 which means they support the 802.11n standard.

I recommend looking for an AP that is at least 802.11g capable as wireless G is about as much as most home users will need. If you can get a good deal on an 802.11n AP, go for it as wireless N is the newest and fastest standard. Avoid 802.11b gear as this is an older standard which doesn't deliver as much throughput as its newer counterparts. Check here for a complete rundown of the differences between the wireless standards.

As a note, most Cisco APs also do 802.11A (The beaver tail looking thing on mine is a wireless A add-in transmitter) but not a lot of devices you're going to see in your home are wireless A compatible. I don't even have my wireless A antenna broadcasting (more on this later) because I have no devices that can utilize the signal.

Additional Purchasing Considerations

Depending on where you buy your AP, you may need to purchase a few additional items. Make note of what is included in your Ebay auction or other purchase and choose accordingly.

Power Brick


Some people cheap out and don't include the power brick in the purchase. You can find them for about $1.50 online. Every Cisco power brick I've ever seen has a 48V, .38A output.

Cisco Serial Cable

If you're computer has a serial port, you can use this baby blue cable to access the AP's console. Not specifically necessary as you can also access the console via SSH or telnet. Most of the time you wont need to access the console anyway; buy one if you want one.

Mounting Kit

Every new AP comes with one of these kits that includes a mounting bracket and various screws. Many online retailers don't include this kit with a purchase. If you want to mount your AP on a wall or roof, you'll need a mounting bracket. The mounting brackets are AP specific, so make sure you get the right one for your particular AP.

Power Injector

Align Left
Lets say you want to mount your new AP on the roof of your living room because that's where you use your wireless devices the most. Chances are, you don't have a power ooutlet on the ceiling in your living room, or anywhere for that matter. Power injector to the rescue! A power injector allows you to send power over the ethernet cable you'll be plugging into the AP, elimination the need to plug the AP directly into wall power. Essentially, the power injector plugs into a wall outlet. One port on the power injector goes to the router, and the other port on the power injector goes to the AP. Voilla! No need to plug in the AP directly. This technology is called power over ethernet and is becoming more commonplace.

Align Center
Cables

Depending on what you do or don't have on hand you might need to buy some additional ethernet cables. Sizes you need will be very installation specific so I'll let you figure that out. On a side note, buy Cat6 cables as they're the newest technology and you'll pay a premium for Cat5 nowadays anyway. Online vendors are often cheaper than your local electronics store. I like Cablesys but shop around.

Step 2: Configuration

Once your AP arrives in the mail, it's time to set it up. The best practice is generally to reset the AP once it arrives. Hold the mode button for about 2 seconds as you plug the AP in. The indicator LEDs will turn amber to indicate the AP is resetting (This process may vary depending on the model, Google is your friend). This removes any previous configuration the previous owner may have had and configures the AP to use DHCP to get an address.

Once the AP is reset, plug the port labeled 'Ethernet' into your router (the port labeled 'Console' is where the baby blue serial cable goes). Once the AP boots, its time to find out what address it pulled. This will vary from router to router but it's generally under a tab labeled 'DHCP' or the like. Here's what the page on my D-link router looks like:

The default hostname is "ap." Migrate to whatever address the AP has in a browser, in my case, 192.168.0.2.
You'll get a login dialog like this:

Default user name is 'Cisco'
Default password is 'Cisco'

After logging in, you'll be greeted by a page like this:


Migrate to the Express Set-Up tab on the left hand menu.

Set A hostname. Whatever you want to enter here is fine, just something to identify the AP on the network.

Choose how the AP will get an IP Address. I'd leave this set to DHCP unless you're comfortable enough with subnetting to set a static address.

Scroll down to the radio section. Your page may look different than mine depending on how how many different radios your particular AP has.

One of the beauty of these enterprise APs is the number of things you can use them for, but for now we're just going to select access point.

You can choose radio optimization based on your situation. If your house is relatively small and the AP is in a central location, you can probably choose "throughput." If you're house is large or the AP is located far away from where you want the wireless signal you'll probably want to choose "range." You can experiment with these settings once the AP is up and running to see which gives you the best results.

You can choose to disable aironet extensions if you wish. You won't be able to take advantage of them unless you have an aironet wireless card for your laptop or other device.

Migrate to the Express Security tab on the left hand side of the screen.

Choose an SSID. This is the name of the wireless network that your devices will connect to.

The broadcast SSID in beacon checkbox will make your network hidden if not selected. Select it unless you know what a hidden network is.

Select 'No VLAN' unless you have VLANs in which case you probably won't need to read this article.

Enable AT LEAST WEP security. WEP isn't the most secure protocol out there, but it's better than nothing. 128 bit is preferable over 40 bit. To enable WPA you'll need a radius server (A topic for another article).

Click Apply once you've filled in all the settings.


Now it's finally time to enable the radios and connect to the network!

Click the Network Interfaces tab on the left hand side and then whichever radio you wish to enable (802.11G in my case).


Click the settings tab at the top of the screen.

Check Enable for the Enable Radio option.

Select Access point for the Role in the network

Select whichever suits your installation best for the data rates option (you can always come back and experiment later).



All the other options on the page should be auto populated. If for some reason they're not, copying my settings should work fine.




Click Apply. Correct any error popups that may occur.

Click the Home tab on the left hand side. Congratulations, your radio should now show up and you'll be able to connect to your new wireless network! Enable any additional radios you want following the same process.

One good practice is to change the default username and password under the Security tab. Now that you're well versed with the Cisco web GUI, this should be a breeze to figure out.