==== A Wireless Neighborhood Freenet ==== from http://www.byte.com/documents/s=1436/byt20010926s0003/1001_bar.html By Moshe Bar October 1, 2001 This column is really about how some friends and I are turning left-over Linux boxes plus wireless LAN equipment into instant neighborhood "freenets." But first a few observations about the Open Source ecology in which - or from which - these things swim. (...) Some of my readers know that I have been meddling with wireless (the 802.11b kind) communications for over a year now. In early 2000 I got my first wireless set from Compaq. The set included a base station, and three PCMCIA cards. I also got, later, a USB wireless NIC and a second, more advanced base station. In the meantime, my assortment has grown to several base stations from Linksys (which I repute among the best, go to www.linksys.com), Intel, and 3Com (the quality of 3Com products has been on a downward spiral not unlike the Nasdaq's). Wireless base stations have various useful features. You can, for example, link two or more base stations together by using each device's unique Ethernet or MAC (Media Access Layer) address. The interlinked base stations need to be on the same 802.11b channel. The 802.11b protocol divides the available spectrum - which can vary by country or continent - into overlapping channels of 22 MHz each. In Europe and Israel (where I live and work), we have 91.0 MHz overall to play with, and 9 channels, numbered 1 through 9. Of those 9 channels, 1, 6, and 11 don't overlap at all, allowing as many as three access points to operate in close proximity of each other. The bridging configuration of base stations allows you to turn encryption from 40 bit up to 128 bit, although this will surely slow down the bandwidth a little. In some countries, like France, encryption is not permitted except for ridiculously small keys. ==== In the Beginning Was the Idea ==== Anyway, having read in a few web sites of the possibility to use wireless communications to build a kind of free Internet within the urban area, I set out two months ago to do just that. I started out by printing out a small manifesto about the intellectual, ideological and economic advantages of a free local Internet. Then, I walked around my neighborhood and glued the manifesto (with an ecological and botanically healthy glue, mind you) to many of the trees. In the manifesto, I asked interested people and offices to send me an e-mail describing how they would like to contribute and what features they would like to have. Soon, the e-mails started to flow into my mailbox. For some time now, I have been enjoying a 10-mbit connection to the Internet, which is more than many mom-and-pop ISPs used to have here in this area until recently. A 10-mbit connection can surely handle about 400-800 private home users as well as some offices during the day. My idea was to create a big private class B network with several subclass C network for every entity (an apartment building, a law firm, a school, or whatever). My proxy server at the entrance from the Internet would know the rules to divert the internal traffic to the internal LAN services like web, mail, news, FTP, etc. I knew that if I put a big enough Linux server as the proxy server, with Quality of Service traffic shaping and redirection rules, than I could just make it work. A good introduction to Linux Quality of Service can be found here, at http://qos.ittc.ukans.edu/howto/. After about 3 weeks of talking back and forth to individuals, I finally organized a founding meeting for the neighborhood Freenet. It was late in the evening and we had a couple of beers and fruit salad in my terrace, and then I described what it takes to build a free Internet. When they saw my diagram on the flip chat showing that each building or house wanting to connect needs to buy a wireless base station, they understood that "Free Internet" is not exactly free, as in free beer. The cost for each building or house would be around U.S. $300 for the base station (prices for electronic gear are much higher in Israel than in the U.S.) plus any wiring required for the individual workstations. (I get my bandwidth in return for bartered services, as explained below, by the way.) I offered to provide internal DNS and mail, as well as web servers, in a semi-professional management (that is, with air-conditioning and UPS). I also offered to look after the firewalling, proxying, and port-mapping from the real Internet to our Freenet. In other words, when somebody from the big wild Net wants to reach a web site on the internal Freenet, my Linux box at the border would translate the request and send it to the appropriate server. Since the idea is to centralize all Internet services such as e-mail, Web, Usenet, chat, RealAudio?, and others, it becomes a simple matter of mapping incoming (from the Internet) requests to the servers in my labs. I provided, therefore: A Linux box (an older Netfinity 3000 with 512-MB RAM and RAID 1) for the connection to the Internet (a 10-mbit connection that I get for free from a telecom company in exchange for some services). A CerfQube that does firewalling and port forwarding as well as NAT by means of simple but powerful ipchains rules. I chose the CerfQube? because the entire disk image is in EPROM and therefore not write-accessible for crackers and intruders. This highly increases the security of the firewall. I just love the CerfQubes?. Go grab one at their web site 151; they are cheap. A web/mail/Usenet/IRC/bind 9.1 cluster running LVS (Linux Virtual Servers, www.lvs.org) on 5 rack 1U computers. I chose no-name rack units that have been sitting around idly in my lab. Each has 512 MB of RAM, 18-GB internal disk, and two NICs. An old Compaq Presario with 40-MB RAM and 2-GB disk with Linux 2.4.7 does the firewalling between our little Freenet and the central servers and my personal lab here. Never trust anyone, right? A set of three redundant Compaq wireless base stations in order to provide some backup should one of them fail. Since I am at the center of our Freenet, I need to provide higher availability. The crowd immediately understood that I, in fact, provide much more than what they are required to buy, and what the heck! Nobody is forced to become a member anyway. So many people in the end adhered, and today we have a net of about 70-80 individual members, be they private or company or community (a small community library for English books). ==== Routing Issues ==== That evening, I also explained the potential disadvantage of our setup. Let me explain. Let's assume my neighbor David Stern peers both with me and with his neighbor Marc Gold. Now, if David goes on vacation and absentmindedly turns off the wireless base station, Marc Gold might not have connectivity to the Internet anymore, if his base station doesn't have line of sight within range to my base station. And that also applies to everybody behind Marc, too, who rely on his base station, etc. There are two solutions to this problem. One is to put up a powerful enough antenna on my house so that everybody effectively would be peering with me. That is not easily feasible as there are strict laws in Israel regarding radio equipment and its strength. Obtaining such a licence might force us to apply for a telecom licence altogether. Another solution is to make sure that everybody peers with at least two base stations, although then, according to a variation of the Traveling Salesman mathematical theorem (go read about it here((http://www.cs.usask.ca/resources/tutorials/csconcepts/graphs/tutorial/advanced/np/np.html))), one needs to make sure that there is indeed a loop at all times closing back to me. If you imagine the peering structure as a binary tree, than every subbranch must be also connected to it's "cousin" branch on the other side. If not, some people might still have connectivity problems. Of course, one can still have total failure to communicate when both his peers are out. After a pleasant and intelligent debate the crowd at the gathering decided to first start with a nonredundant structure of simple base stations for each building and then eventually seek a better solution. ==== Security Aspects ==== Next to security from both inside crackers and the ones coming in from Internet, there are several other security aspects. Having such a lively mass of individuals and businesses all going out from one NATed IP to the Net is bound sooner or later to raise the attention of crackers, spammers, DDOSers, and what have you. This is a really difficult issue to tackle as there is really not much you can do about it, besides proper firewalling and good cooperation with the staff at the upstream ISP. The only sensitive thing might be to talk repeatedly to the individuals in the Freenet and make them understand that making excessive noise and going through provoking actions will only increase the likelihood of the service becoming unavailable or slow. Another aspect is security of the wireless traffic. Recent reports from AT&T labs have shown that the 801.11b traffic is indeed easily breakable. Therefore, I made sure that everybody needs to use IPSec next to the 801.11b encryption. Because all participants are rather well versed, technically speaking (that is why they participate), that requirement is not too high. I assume that conducting the Freenet experiment with less-versed people might not be feasible altogether. At least not with today's technology. The final aspect is the one of trust towards me. Since all traffic goes through my servers, and all e-mail is stored in my computers, etc. the Freenet members need to trust me. If they just slightly mistrust me, they would start using conventional dial-up connections to send more intimate or secret messages. This shows again the limited application scope of Freenets. ==== Linux Comes to the Rescue ==== (Routing between the Freenet can become a bit of an issue, too. Consider our situation in our Freenet:) (We have a DMZ zone which is reached through port forwarding from the firewall and which is located immediately after the router with the ISP connection. All Freenet participants have a 10.0.0.0 network IP address with a particular subnet, usually a class C within the 10.0.0.0 network. This means that each and every entity in the Freenet with it's own subclass B needs to have a router/gateway in the middle. There are some wireless base stations capable of simple IP forwarding, but the Compaq Wl400 can not. So, people with their own subclass need a linux router in front of their wireless base station in order to provide connectivity.) (For those people using the "Freenet" class B public IP network, which consists of about 12 base stations right now, some sniffing prevention is required. Since both Windoze and Linux work with IPSec, I advised everybody to use this protocol to avoid problems. From what my automated sniffers (placed strategically at various positions) can detect, not many people are using IPSec, but that is their own problem. ==== Parallel Internet with Internal Web Site and E-Commerce ==== One of the very interesting side effects of our Freenet is the almost immediate rise of a parallel Internet. Because our community is diversified and technophile enough, after a few days people already had the first Freenet public web pages out targeting fellow Freenet participants. One guy put up a small web page selling his consulting service for people needing help with configuration and installation issues. A student in the neighborhood is starting a Freenet web site (which eventually might become accessible from the public Internet as well) offering to do the shopping for people, including home delivery. Our internal IRC site is pretty much in demand and there are almost always neighbors to find there for chats or discussions. This shows that there is an urgent need for local Internet communities to be protected from the public scrutiny and attacks coming from the global Internet. With the new possibilities offered by wireless technology this becomes pretty inexpensive and easy to achieve. Our community is set to expand over the next few months and I eventually don't want to run it all the time. Once there are enough participants, they might decide to pool a bit of money and hire a part-time system administrator to handle things. Obviously, that goes a bit against the "Freenet" idea, but then free in this case can also mean almost-free. Wait for more reports on our Freenet as we progress. It is certainly an interesting project, although most of the work is for now resting squarely on my shoulders. Some people among the participants are very generous with help and encouragement. Others seem to always find something to complain about. Maybe they don't get the whole idea of what we are doing here, but then you always encounter these kinds of problems whenever you assemble a team of people working on the same project, no? I, for one, I am having fun with it.