modified on 7 August 2009 at 15:47 ••• 11,676 views

Configuring AirOS for use with Municipal WiFi

From Ubiquiti Wiki

Jump to: navigation, search

Contents

Abstract

  1. Hook up the Ubiquiti device to your computer
  2. Configure the LAN portion of the network
  3. Configure the wireless WAN portion of the network
  4. Plug it in to either a switch, home router, or your computer, and reboot it.

Prerequisites

  • A home network (or a computer with an ethernet jack and a crossover cable)
  • Intermediate knowledge of networking and using your OS
  • Wireless network information provided by your ISP

Wired setup

This depends on how you want your Ubuquiti device to interact with your network, but regardless, you first have to configure it.

  1. Connect your device either directly to your computer or to your home network.
    • WARNING: plugging a passive (like Ubiquiti devices use) power over ethernet (POE) cable directly into a switch, hub, or computer can cause permanent damage. Ensure the powered end is plugged directly into the device.
    • If you connect the device directly to your computer, you might need a crossover cable. If your computer has a gigabit ethernet controller, a patch cable will probably work fine.
    • If you connect it to your network, services running on the Ubiquiti device (IP address overlap, DHCP) might cause temporary problems with your network.
  2. Once connected, configure your computer's network connection with an IP address in the 192.168.1.0/24 subnet. Something like 192.168.1.59 will probably work fine.
    • If you modified this, earlier, you'll need to either reset it or modify the next two steps to correspond to that address.
  3. Open a browser and go to http://192.168.1.20. The default username and password are ubnt and ubnt.

You should now be at the "main" AirOS tab.

Now select a guide.

  • If you want to use your Ubiquiti device like a Cable or DSL modem attached to a home router, use the bridge guide.
  • If you want to connect your Ubiquiti device directly to your computer, use the bridge guide.
  • If you want to use your Ubiquiti device as a home router (attached to either a hub, switch, bridge, or your computer), use the NAT guide.

As a bridge

  1. Go to the AirOS "network" tab.
  2. For the "network mode," choose "bridge."
  3. Make sure the "bridge IP address" is set to DHCP.

As a NAT router

LAN network settings for a Ubiquiti device doing NAT and DHCP
  1. Go to the AirOS "network" tab.
  2. For the "network mode," choose "router."
  3. Make sure the "bridge IP address" is set to DHCP.
  4. Scroll down to "LAN Network Settings"
  5. Set "IP address" to a private IP address. Something like 192.168.1.1 or 192.168.1.20 would be a very good choice.
  6. Set "netmask" to the network's netmask. In most cases, it will be 255.255.255.0.
  7. Check the "enable NAT" and "enable DHCP" check boxes.
  8. For "range start" and "range end," pick a range in the same subnet as the device's IP address, but not including its IP address, e.g. 192.168.1.21 and 192.168.1.254.
  9. Use the same netmask you used earlier.
  10. Check the "enable DNS proxy" check box.

Port forwarding, firewall settings, and DMZ are all useful, but it's best to get basic functionality working, first. Users needing those features will generally know when they need them.

Wireless setup

Wireless settings for a link using WPA Enterprise authentication. The username and password have been removed.
Wireless bridge configuration
Wireless NAT router configuration
  1. Go to the "link setup" tab in AirOS.
  2. Set the "wireless mode" to "station" for NAT or to "station WDS" for a bridged connection.
  3. Set the ESSID. Your ISP provided this to you. You can also use the "select" feature, but this won't always work for hidden ESSIDs or virtual access points.
  4. Set the "country code" to your country. This option tells AirOS which channels to scan and how what transmit power is legal.
  5. The default values for the rest of the settings in "Basic Wireless Settings" are usually safe.
  6. Set up wireless security.
    • This section depends heavily on the information provided by your ISP
  7. Don't forget to click "change" when you're doing setting up the wireless connection.

Wireless security information

  • Banking information and credit card numbers are almost always safe, regardless of the wireless security setting.
  • If "security" is set to "none," most of your web browsing, instant messaging, and email can be seen by anyone who can pick up your wireless signal.
  • If "security" is set to "WEP," anyone else with that key will be able to view your traffic, and anyone, in just a few days, can crack the key.
  • If "security" is set to "WPA" or "WPA2" and "WPA authentication" to "PSK," anyone with that key will be able to view your traffic. If the looks like familiar words and/or numbers, it's considered insecure and can be cracked.
  • WPA(2) with EAP is currently the only safe way to use municipal WiFi.

Miscellaneous

  • "Lock to AP MAC" is optional. It can increase connection reliability, somewhat, but if there's a change in network configuration, your connection won't be able to recover on its own.


Setting the IP address (not typically required)

This is a very unusual thing to do, but it's not hard to set up.

  • If you set the mode to "bridged," you'll have to manually set the IP address on your computer or home router.
  • If you set the mode to "router," go back to the "network" tab.
    1. Change "WLAN IP Address" to "static."
    2. Change "IP Address" to the address your ISP provided you.
    3. Also do this for the "netmask," "Gateway IP," and at least one "DNS IP."

Setting the date (not typically required)

If your ISP requires you to use a username and password (WPA Enterprise), you might have to set the date on the device. This is done as a security measure in the event an encryption certificate has been compromised.

Via NTP server

Since you do not yet have an internet connection, you can't use an NTP server like pool.ntp.org. If you host your own, however, you can save yourself a lot of trouble.

  1. Assuming your NTP server has already been configured, go to the "Services" tab.
  2. Set "NTP server" to your server's IP address and check "enable NTP client." The field and check box are about halfway down the page.
  3. Click "change."

The date should be automatically set, and WPA enterprise authentications will work.

Via the AirOS CLI

Setting the date this way is a little tricky, and it gets reset on reboot, so you'll have to go through this every time your device powers up.

  1. Go to the "Services" tab of the AirOS configuration page.
  2. Check the "Enable SSH server" check box. It's near the bottom of the page.
  3. Click "Change" to apply this setting.
  4. Open an SSH connection between your computer and the device. Unless you changed something both the username and password will be ubnt.
    • Linux, Unix, and Mac OS X already have this program. Just open a new terminal window and type ssh <ubnt IP address>. When asked if you want to trust the key, type "yes."
    • Windows doesn't have a builtin SSH client. An easy, free option is PuTTY. Run it, enter the IP address in of the device in the "host name" box, and click "open." When asked if you want to trust the key, choose "yes" or "OK."
  5. Set the date. This is an abbreviated syntax for the command: date MMDDhhmmCCYY, where MM, DD, hh, mm, CC, YY are month, day, hour, minute, century, and year, respectively. This command sets the date to August 5th, 2009, 23:35:

    XS2.ar2316.v3.4.4390.090521.1757# date 080523352009
    Wed Aug 5 23:35:00 UTC 2009

    Remember to use UTC, not your local time.

Troubleshooting

Can you access the device?

  • If you're just rebooting the device, remember to restore your computer's network settings to normal.
  • If the device is in routed/NAT mode, try renewing your DHCP lease. Did you get a response from the device?
  • Try pinging the device (make sure your network interface has an IP address in the same subnet as the device).
  • Try rebooting the device (again).

If you still can't access it, you probably have to press the "reset" button while it's running. See Firmware_Recovery for more information.

Is wireless up?

Wireless connection that's down
  • When you browse to http://192.168.1.20 (or whatever address you chose), what's the signal strength?
  • Is there an AP MAC address (BSSID)?
  • What are the TX and RX bit rates? 1Mb/s might indicate a very weak signal, while higher values indicate a better connection.
  • What do the "WLAN statistics" say? In a working connection, you should see both transmitted and received packets. Some error packets are OK, but if more than 5% have errors, your connection won't be stable.

Did you get an IP address?

A healthy WiFi connection
  • Is there an IP address listed for the WLAN connection?
  • If you open an SSH connection with the device, is there a default route set?

    XS2.ar2316.v3.4.4390.090521.1757# route -n
    Kernel IP routing table
    Destination Gateway Genmask Flags Metric Ref Use Iface
    192.168.1.1 0.0.0.0 255.255.255.0 U 0 0 0 eth0
    64.9.240.0 0.0.0.0 255.255.248.0 U 0 0 0 ath0
    169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth0
    0.0.0.0 64.9.240.1 0.0.0.0 UG 0 0 0 ath0

    In this case, it's 64.9.240.1.
  • Can you ping it? The AirOS "ping" tool (on the main page) already has the gateway entered.
  • Can you ping the nameservers? They're stored in /etc/resolv.conf on the device.
  • Can you ping a known IP address? OpenDNS uses 208.67.222.222; that IP address is almost always reachable.
  • Can you ping a known IP address from the internal side of NAT?
Retrieved from "http://wiki.ubnt.com/Configuring_AirOS_for_use_with_Municipal_WiFi"