Guest Wireless VLAN Via Airport Express

0

Wireless networks have become ubiquitous. We use them at home, work, mall, airport, coffee shop and just about everywhere else we go. When setting up a wireless network, it’s wise to spend some quality time considering how you plan to use that network. One important question to consider, is will guests be allowed to have network access. If your answer is yes, the next question to consider is how are you going to protect yourself. It’s not very wise to allow unfettered guest access to your production network where one can poke around and, with a little bit of ingenuity, gain access to data and resources that they shouldn’t have access to.

I recently set up a new office and as part of that process wanted to make provision for guest internet access, but I didn’t want to set up separate access points for employees and guests. I knew Apple had functionality to allow for the creation of guest networks via their Airport products but was a bit skeptical that it would work for me because Apple assumes you are using an Airport Extreme as your primary router. I would never use such a device as my primary router but, as always, where there’s a will, there is a way. Airport Expresses are cheap so I figured I would buy one and give it a shot.

Windows Airport Utility Issue

After receiving my Airport Express (I really bought three) I set it up and then downloaded the latest Airport Utility for Windows (5.6.1) so I could start my configuration.

Airport Utility for Windows - ABOUT

Airport Utility for Windows – ABOUT

As I looked through the interface I couldn’t find anything related to setting up a guest network. I knew I had seen these configuration options before while configuring an Airport Extreme. Their absence here made me question whether guest network support existed on the Airport Express products.

Wireless Tab on Airport Utility for Windows

Wireless Tab on Airport Utility for Windows

Before giving up I decided to try the Mac version of the Airport Utility. I pulled out my Macbook, ran the utility and Voilà; I could see the guest network settings that I had expected to find. Not a big deal, but it’s helpful to know that the Airport Utility for Windows is lacking in functionality and cannot be used to implement a guest wireless network on an Apple Airport Express.

Wireless Tab on Airport Utility for Mac

Wireless Tab on Airport Utility for Mac

How It Works

Now that we know how to define our network, we need to figure out how to make the guest network coexist with the rest of our configuration and how we can keep its traffic separate from our internal traffic. Since I have no interest in running an Airport Extreme as my router, I configured my Airport to operate in bridge mode, which means I’m using it as an access point only. I then plugged a patch-cord into the Airport’s WAN port and plugged the other end into my switch.

Airport Express Layout

Airport Express Layout

A quick test revealed that I could now access resources from both of my defined wireless networks. This begs the question, how can we differentiate the guest traffic from the non-guest traffic? Furthermore, how can we limit what guests can access. The answer lies in what Apple does to the packets that come in over the guest network. As you might have already speculated, there’s no magic here, Apple simply tags the packets with a VLAN id, which happens to be hard-coded to 1003.

Explaining how VLANs work is beyond the scope of this post, but suffice it to say that with VLAN tagging, we can manage our traffic more effectively even if that traffic is running across the same wire/network. In our case, that means I can use the same access point to allow employees access to the internal network and the internet while limiting guests to internet access only.

The Router

I love building routers and I regularly vacillate between a pfSense router and, my true love, a Linux based iptables router. In this instance, I’m using pfSense to manage my traffic. All I need to do is create a VLAN interface for our 1003 tag, setup DHCP for the interface, define my outbound firewall rules and I’m done.

pfSense VLAN Interface

pfSense VLAN Interface

I won’t cover it here, but I also recommend the use of a captive portal for your various networks. I use a portal for my LAN as well as my employee and guest wireless networks. This allows me to effectively throttle bandwidth usage while also limiting which devices have access to my network.

Until next time – GEEK OUT!

~GT~

   

Infinite Video Loops on a Raspberry Pi

0

script I recently upgraded my office by moving to a great new location. As part of the move I added a ton of new space to accommodate our rapid growth and even added a “play area” for the staff so they can burn off some of the frustrations of the “daily grind” with a bit of Ping Pong and, very soon, Xbox. I also added a very nice reception area with a TV where I could run a continuous loop of some of our marketing videos.

I decided to go with a Raspberry Pi to run the movies since it’s low cost, low power and very easy to hide behind the TV. I installed Raspbian and since there’s no GUI player that I could find to queue up the movies to run in a loop, I wrote a simple bash script to run a loop using omxplayer.

#!/bin/bash

# the path to the directory containing my videos
VIDEOPATH="/home/pi/Desktop/videos/"
SERVICE="omxplayer"

# the infinite loop!
while true; do
  for entry in $VIDEOPATH/*
    do
      omxplayer $entry > /dev/null
      sleep 1;
    done
done

This script seemed to work just fine but not long after I started it up, I ran into issues. The first problem was the gap in playback; it wasn’t seamless. While not a big issue, it looked ugly because I could see the desktop and the console window in the gap. To fix this I maximized the console and modified my script to turn off the cursor and set my text to black so all I could see was a black screen during the gap. Not the best solution, but I could live with it.

#!/bin/bash

cleanup()
# cleanup function
{
  setterm -cursor on
  setterm -foreground white -clear
  return $?
}

control_c()
# run if user hits control-c
{
  echo -en "\n*** Exiting! ***\n"
  cleanup
  exit $?
}

# trap keyboard interrupt (control-c)
trap control_c SIGINT

# main() loop
# get rid of the cursor so we don't see it when videos are running
setterm -cursor off
setterm -foreground black
setterm -clear

# the path to the directory containing my videos
VIDEOPATH="/home/pi/Desktop/videos/"
SERVICE="omxplayer"

# the infinite loop!
while true; do
  if ps ax | grep -v grep | grep $SERVICE > /dev/null
  then
    pkill omxplayer
    sleep 1;
else
    for entry in $VIDEOPATH/*
      do
        clear
        omxplayer $entry > /dev/null
        sleep 1;
      done
fi
done

Again, this seemed to work just fine but then I ran into my second issue. This time it was the screen going to sleep. A quick Google search reveals that this is a common problem and there are lots of suggestions for fixing it. I experimented with a few options and what worked for me was to modify the Light Display Manager configuration.

sudo nano /etc/lightdm/lightdm.conf

Now look for [SeatDefault] and insert this line below:

xserver-command=X -s 0 dpms

This modification absolutely resolved the sleep issue but then I ran into my third problem. For some reason the omxplayer process seems to hang. I see the desktop on the TV but no movie. When I look at my processes I see omxplayer running. There’s probably a more elegant fix, but I decided to take a brute force approach to resolving the issue. Rather than just play every video in my videos folder, this time I explicitly start each movie and use bash’s built-in control operator to fork processes. Doing this means my script keeps running even if the omxplayer process hangs. Then I sleep for the same duration as the video and issue a pkill command to nuke the omxplayer process just in case it’s hung.

#!/bin/bash

cleanup()
# example cleanup function
{
  setterm -cursor on
  setterm -foreground white -clear
  return $?
}

control_c()
# run if user hits control-c
{
  echo -en "\n*** Exiting! ***\n"
  cleanup
  exit $?
}

# trap keyboard interrupt (control-c)
trap control_c SIGINT

# main() loop
# get rid of the cursor so we don't see it when videos are running
setterm -cursor off
setterm -foreground black
setterm -clear

# the path to the directory containing my videos
VIDEOPATH="/home/pi/Desktop/videos/"
SERVICE="omxplayer.bin"

# the infinite loop!
while true; do
  if ps ax | grep -v grep | grep $SERVICE > /dev/null
  then
    pkill $SERVICE
    sleep 2;
  else
    omxplayer ${VIDEOPATH}movie1.mp4 > /dev/null &
    sleep 100;
    pkill $SERVICE >/dev/null >2&1
    omxplayer ${VIDEOPATH}movie2.mp4 > /dev/null &
    sleep 67
    pkill $SERVICE >/dev/null >2&1
  fi
done

My final version of the script has been working beautifully and has proven to be a solid solution for running movies in a continuous loop on the Raspberry Pi platform.

Until next time – GEEK OUT!

~GT~

   

Soekris net4801 pfSense Router

0

I’ve been running a pfSense router on a small form-factor PC for a few years and have been happy with my setup. What I don’t like though is that the PC is relatively loud and draws way more power than is necessary to meet my routing needs. As part of a recent move I thought I would take advantage of the opportunity and dig out my old Soekris 4801 and try it out as my router instead.

Following are the steps I took to turn my net4801 into a pfSense router and the resulting speedtest returns.

The Box

In case you don’t know, the Soekris net4801 is a compact, low-power, low-cost, computer based on a 233 Mhz 586 class processor. My box has three 10/100 Mbit Ethernet ports, 256 Mb SDRAM main memory and a 4Gb CompactFlash card plugged into the main board.

Soekris net4801

Soekris net4801

Flashing the CF Card

The first thing we need to do is grab a copy of the image we want to burn to our CF card. I grabbed a copy of the latest embedded platform build for i386 for 4g cards (pfSense-2.1.4-RELEASE-4g-i386-nanobsd.img.gz).

Next we need to extract the image and burn it to our card. This is an easy process regardless of platform, but I happened to be on a Mac when I downloaded the image so those are the steps I’ll provide:

  1. Double-click the downloaded gzip in Finder and it will extract the image file to pfSense-2.1.4-RELEASE-4g-i386-nanobsd.img
  2. Insert the CF Card and unmount the Volume – Your volume name may be different. If in doubt, Google it!
  3. sudo diskutil unmount /dev/disk2s1
  4. Write the image to the card
  5. sudo dd bs=512000 if=pfSense-2.1.4-RELEASE-4g-i386-nanobsd.img of=/dev/rdisk2

This process will take a while so don’t be in too big of a hurry.

Booting Up

Now you’re ready to install the CF Card back in the 4801 and boot up. Some sites claim that the image will just work and the Soekris box will boot right up. That, however, was not my experience.

In order to find out what was going on I needed a way to view the device console. Since the Soekris box doesn’t have a VGA, DVI or HDMI port, I had to dig through my stash to find some parts to connect to the old-style serial console port. The Soekris box has a male DB9 serial port for its Console. No computer made in the past five years or so has a DB9 serial port. I needed to find an old computer with a serial port or buy a Serial to USB adapter.

I grabbed the first desktop I could find and was lucky enough to find a serial port on the back. Like the Soekris, this port was also a male DB9 style interface. Next I started searching for cables. I found two male to female DB9 cables and a null-modem adapter – PERFECT!

Serial Cable and Null Modem Adapter

Serial Cable and Null Modem Adapter

I set up my computer and booted it up and was pleased to see an old Ubuntu server installation. A couple of guesses for the ID and Password and I was in. Next step was to connect the null-modem adapter between the two cables and then connect one end of the resulting cable to the Soekris and the other to the Linux PC. I then fired up a copy of screen and rebooted the Soekris:

screen /dev/ttyS0 9600

At this point the pfSense software started its configuration routine. I won’t cover the details here other than to say that I defined my WAN, LAN and OPT1 ports and configured DHCP for the LAN interface. Once this was complete I was able to access the web interface via a browser.

The Test

Before I tried out the new Soekris box I ran a Speedtest as a baseline.

pfsense-1

I then plugged my WAN and LAN connections into the Soekris box and ran the test again.

pfsense-2

I wanted to ensure that my results were accurate so I proceeded to run the tests a few more times just to be certain that the results were consistent. A number of runs on each server showed that the results were very close each and every time.

Conclusion

Ultimately the loss in performance (degradation ranged from 53% – 57%) meant that the Soekris was not a viable replacement option for my small form-factor PC which has more memory, faster NICs and a better processor. I think I’ll opt for a VK-T40E pfSense hardware appliance which has an AMD G-T40E Processor with 2 CPUs and 4Gb of SDRAM and should provide equal or better performance than my existing PC based router.

Until next time – GEEK OUT!

~GT~

   

Go to Top