This document no longer reflects my configuration, but rather than delete possibly useful information, I've made notes of my changes on a new errata page.
Typically there are two choices when setting up a small network: buy consumer grade commercial hardware, or find an old machine and install unix. A small wireless router and firewall from NetGear or Linksys could hardly be easier to install and has many pretty blinken lights. It isn't very flexible though, often two or more different boxes are needed, upgrading means buying another one, and some "enterprise" features are plain not available at the low end. On the other hand, a full fledged computer makes a lot of noise and has many moving parts to fail.
The solution: create a custom network device running on silent hardware designed for embedded systems. Select the best hardware and software available to create a device unparalleled by anything in the commercial marketplace.
The real selling point however is that this network device will be running a full unix operating system, which provides nearly infinite flexibility. All aspects of operation can be fine tuned, comprehensive monitoring is possible, and arbitrary programs may be installed.
Soekris Engineering produces an excellent line of tiny, x86 compatible, embedded computers complete with cases. So first on the list, one net4521 which has the following key specifications:
The Soekris boards support all the free *BSD variants, Linux, and probably anything else that runs on standard PC compatible hardware. Soekris has quite a following amongst the wireless networking community, and so has a lively mailing list with volumes of information about how to get everything working.
Next is an 802.11b wireless card. Many aren't capable of acting as an access point, and some aren't even supported under open source operating systems. Fortunately there is a wonderful chipset called Prism from Intersil that is very well supported under *BSD and Linux, and it supports an access point mode.
One of the people on the Soekris mailing list happens to have a company named NetGate, and this company just happens to ship a 802.11b PC-Card based on the Prism 2.5 chipset which puts out 200mw with excellent sensitivity ratings. Not only that but they sell kits which include:
Great stuff!
Choosing the right network operating system may be the toughest task. Linux and the *BSDs (FreeBSD, NetBSD, OpenBSD) will all run on this hardware, as will other non-free operating systems which I gave no thought to. The HostAP driver and software are what allow a Prism based 802.11b card to act as an access point. Apparently this was written for Linux but it is available on BSD too.
OpenBSD has a hard won reputation for security, stability, and everything else I am looking for. It was the natural choice, and many other people on the Soekris mailing list have discovered the same thing. There is even a project called OpenSoekris which will help set up a Soekris based system from an existing OpenBSD install.
Some of the key features of OpenBSD are:
Sure WEP can be cracked, so can a copper cable network, it just requires more intrusive physical access. Even more intrusive is tapping into fiberoptic cables, but that too is possible. Real security requires top strength crypto and a great solution is IPsec.
IPsec, via the ISAKMP protocol, can handle client authentication via passphrases or x.509 certificates. No need to worry about 802.1x or proprietary enhancements to WEP. IPsec is extremely strong and isn't tied to wireless networks. So, the security portion of the plan is:
The project is divided into the following sections:
There are also client configuration how-tos: