Wireless Security

How-To: Building a Guest Wireless Network For Under $300 – Part I

[Note: This is a re-post from the wrt54ghacks.com blog which has been intergrated into this blog. For an even more updated version of this hack see my article in (IN)Secure Magazine, Issue 17]
So, here is the scenario, you need a wireless network for guests, it has to be easily accessible (i.e. can’t require a WPA supplicant) and be secure. This is a common problem, and one that is not-so-easily solved. For example, you may want a separate wireless network for training rooms, on-site visitors, consultants, or for just general guests to your organization. Guest such as these typically only require access to the Internet and nothing else. The nice part is, all this can be done for under $300 (on a small scale with two access points), and its all open-source! This is a great, cheap, fast, and easy way to handle guests that may be coming into your network. Of course, this is only the first step. In future parts we will show you how to add the security measures, such as captive portals, bandwidth shaping, intrusion detection, and firewalling. To get us started you will need:

Below are the step-by-step guidelines for getting the initial setup going:
Step 1 – Unbox and flash the routers. For the WRT54GL, you must use the web interface to put the initial OpenWrt image on them. (Question, why does Linksys not enable boot_wait by default?). Also, do not use the PoE adapters when flashing!
Step 2 – Change the IP address of the routers, enable boot_wait, and set the hostname:

nvram set lan_ipaddr=”″
nvram set boot_wait=”on”
nvram set wan_hostname=”myap1″
nvram set wan_proto=”none”
nvram commit

Step 3 – Create a separate VLAN or physical network, preferably with a separate Internet connection. Put that APs on that subnet.
Step 4 – Harden and perfomance tune OpenWrt – Remove the packages that are not required:

ipkg update
ipkg remove ppp ppp-mod-ppoe webif haserl kmod-ppp kmod-pppoe
ipkg upgrade

Disable services not required:

cd /etc/init.d
mv S50httpd disabled_S50httpd
mv S50telnet disabled_S50telnet

Step 5 – Enable DHCP on each of the access points:

cat > /etc/init.d/S60dnsmasq
#! /bin/ash
/usr/sbin/dnsmasq &

Now, remove the DHCP configuration from the /etc/dnsmasq.conf, and replace it with:

# enable dhcp (start,end,netmask,leasetime)
# use /etc/ethers for static hosts; same format as –dhcp-host
# other useful options:
# Default Gateway
# DNS Servers

Step 6 – Reboot the WRT54GL, make sure all is well. Now, connect the POE adapaters and place the APs where you want them.
Step 7 – Configure Wireless – Place the access points on their respecitve channels using the command nvram set wl0_channel=1. Ideally, you could have 3 APs, one on channel 1, 6, and 11. Now, set all of the SSIDs to the same value using the command nvram set wl0_ssid=”guestwireless. Finally be certain to run nvram commit to commit your changes, and /sbin/wifi so that the wireless system picks up the new values.
You should now be able to associate to the given SSID. Which access point you associate with will depend heavily on the wireless driver that you are using, and other factors that require too much math.
In Part II, we will show you how to implement a captive portal for guest authentication, and add additional layers of security such as intrusion detection and IP filtering.
Paul Asadoorian (Edits by Larry Pesce)

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.