How to provide some extra excitement to anonymous people that use your wireless network


March 02, 2005

1. Disclaimer

First of all, have a look here: http://www.kismetwireless.net/.
Then read this.

If you still want to let other people use your internet connection and access your computers go ahead and read the stuff.

This document is provided "as is", there is no warranty or other stuff, use it at your own risk. You can copy, reproduce, do whatever you want with the info from this document, I'm still not responsible for anything :-)

2. Scope

To provide some excitement to those anonymous people that will use your internet connection.

The router configuration for the internet connection is beyound the scope of this document, make sure that you can connect to the Internet with a workstation behind your external router.

3. Requirements

- basic knowledege of tcp/ip and windows
- manuals for router configuration
- able to connect network cables
- able to follow directions

4. Hardware/software inventory list

- internet connection (cable or dsl)
- cable or dsl modem (usually supplied by your ISP)
- three routers with 4 internal ports each, one of them wireless enabled
- network cables
- one computer that runs Windows XP
- laptop with wireless card that can connect to the wireless router

5. Concept

The idea is to implement a second layer of authentication before allowing a wireless laptop to go on the internet.
To achieve this we will create a Demilitarized Zone (also known as DMZ). Sounds scary but in fact is not.

6. Setup diagram



Routing tables for each router:

The external router:
Destination LAN IP   Subnet Mask         Default Gateway      Interface
0.0.0.0              0.0.0.0             abc.def.ghi.jkl      WAN
abc.def.ghi.0        255.255.255.0       0.0.0.0              WAN
10.10.1.0            255.255.255.0       0.0.0.0              LAN

The internal wired router:
Destination LAN IP   Subnet Mask         Default Gateway      Interface
0.0.0.0              0.0.0.0             10.10.10.1           WAN
10.10.1.0            255.255.255.0       0.0.0.0              WAN
10.10.3.0            255.255.255.0       0.0.0.0              LAN

The internal wireless router: 
Destination LAN IP   Subnet Mask         Default Gateway      Interface
0.0.0.0              0.0.0.0             10.10.10.10          WAN
10.10.1.0            255.255.255.0       0.0.0.0              WAN
10.10.2.0            255.255.255.0       0.0.0.0              LAN

7. Router configuration

The external router without wireless:
- take one of the wired routers, connect it to the DSL/Cable modem; the WAN interface (external) will get a routable IP address assigned by your ISP (using different protocols like PPPoE, PPPoA, DHCP etc): abc.def.ghi.jkl (and the external subnet will be abc.def.ghi.0/mn
- for LAN use the 10.10.1.0/24 range (netmask 255.255.255.0)
- assign a static IP address to the internal interface (LAN): 10.10.1.1
- disable the dhcp server that usually runs on the router


The internal router without wireless:
- connect the WAN interface to a LAN port on the extenal router
- assign a static IP to the WAN interface: 10.10.1.3 netmask 255.255.255.0
- as default gateway use the internal interface of the external router: 10.10.1.1
- for DNS servers use the IP addresses of your IPS DNS servers
- for LAN use the 10.10.3.0/24 range (netmask 255.255.255.0)
- enable the DHCP server to provide IP addresses from 10.10.3.100 to 10.10.3.150
- forward WAN port 1723 to port 1723 of 10.10.3.3
- enable "PPTP pass through" and "IPSec pass through"
- if the router has the option "PPPoE pass through" make sure is disabled
- firewall configuration: allow wan request (so it will respond to ping)


The internal wireless router:
- connect the WAN interface to a LAN port on the external router
- use static IP for the WAN interface: 10.10.1.2 netmask 255.255.255.0
- do not provide a default gateway (of if you have a linksys wireless router provide an IP from 10.10.1.0/24 range that is not assinged, let's say 10.10.1.10)
- for LAN use the 10.10.2.0/24 range (netmask 255.255.255.0)
- enable the DHCP server to provide IP addresses from 10.10.2.100 to 10.10.2.150
- enable "PPTP pass through" and "IPSec pass through"
- if the router has the option "PPPoE pass through" make sure is disabled
- firewall configuration: allow wan request (so it will respond to ping)

8. TCP/IP configuration for the Windows XP machine

The Windows XP machine will be connected with a network cable to the internal router that does not have wireless feature.
Asign it a static IP: 10.10.3.3 and subnetmask 255.255.255.0 As default gateway will use the internal interface of the internal router: 10.10.3.1
For DNS servers use the IP addresses of your IPS DNS servers.
At this point, using this machine you should be able to:
- ping the internal interface of the internal router (10.10.3.1)
- ping the external interface of the internal router (10.10.1.3)
- ping the internal interface of the external router (10.10.1.1)
- ping the external interface of the wireless router (10.10.1.2)
- ping www.google.com
- browse the Internet
If one of the above things doesn't work then stop here, go back and review the settings.

9. VPN configuration for the Windows XP machine

You might be surprised but Windows XP Professional (I don't know about the other versions - Home, Media Center and Embedded) can function as a VPN server allowing PPTP connections to it.

Here is how you enable this feature.
First of all create a user that will be used ONLY for VPN connections. Go to Computer Management -> Local Users and Groups -> Users and create a new user. Name it as you wish, I named mine "vpnuser". Give it a strong password, at least 8 digits, letters (lower/upper case) numbers and special characters.
Then in Control Panel double-click on "Network Connections" then double-click on "New Connection Wizard"

















This should show up:


Now your Windows XP machine is ready to accept incoming vpn connections.

10. VPN Configuration for the wireless laptop

First of all make sure you can connect with your laptop to the wireless router. Do anything you can to make this connection as secure as possible (lock down the router, use 128-bit wep key, enable wireless connection only for the MAC address of your laptop's wireless card etc).

Once you are connected then do this:
- ping the internal interface of the wireless router (10.10.2.1)
- ping the external interface of the wireless router (10.10.1.2)
- ping the internal interface of the external router (10.10.1.1)
- ping the external interface of the other internal router (10.10.1.3)
- do not try to browse the Internet, the wireless router does not have a valid default gateway, do you remember ? (See paragraph 7 - Wireless router configuration)

If one of the above things doesn't work then stop here, go back and review the settings.

Create a VPN connection using the following details:
- vpn server: 10.10.1.3
- login: vpnuser
- password: **********
- domain: [the name of the Windows XP computer]

Now connect to the Windows XP machine.
There you go, the world is yours !

11. Conclusion

Comments, suggestions to: zsirbu at gmail dot com