Wireless IP for Canyon Rd.

I've been working with and using ``wireless Ethernet'' (802.11b) for a while now, both at work and at home. However, my initial approach to using wireless at home was the simplistic one: hang an ``access point'' (``AP''), acting as a ``dumb bridge,'' off of the internal network. I turned on WEP, restricted the AP to talk to only certain known MAC addresses, and configured the AP to not divulge the SSID in its beacons. And when I used the wireless net to access the machines I cared about, I did so via SSH.

Well, that certainly worked, and it had the virtue of (relative) simplicity. However, there was a concern: I wanted to migrate to a point where I could feel reasonably comfortable ``opening up'' access to the wireless net to those of our good neighbors who were interested in taking advantage of this. And no matter how much I trust our neighbors, I did not want them running around on my internal net. (For that matter, were the situation reversed, I wouldn't want to be running around on someone else's internal net, either.)

Long ago, I had placed a 3rd NIC (network interface card -- an Ethernet adapter) in my firewall machine. So the straightforward approach seemed to be to configure the firewall so the wireless AP was connected via the 3rd NIC, to a completely separate network. Well, around the beginning of October, I finally got the firewall re-configured in a way that seems to work OK:

The firewall has one NIC for connecting to the Internet (via Pac*Bell DSL). This NIC is assigned the sole IP address I have. Traffic from the outside world is only permitted if it meets certain fairly strict requirements: for example, a reply to a request origanted from one of the internal nets is permitted. A few other things are permitted; in some cases, things appear to be permitted, but what is happening is rather different (because of a combination of NAT (Network Address Translation) and port-forwarding), but details of that are outside the scope of this document.
There is one NIC for the internal net. Nearly any traffic is permitted if it originates from this net.
There is the above-mentioned 3rd NIC, which is connected to what I call the ``guest net'' (to emphasize, as I did when I ran one of the first free public-access UNIX systems in Orange County, CA, that folks who use the net in question are my guests, and are expected to be mindful of that). This is where the wireless AP is connected.
Both the ``internal'' and ``guest'' nets use RFC 1918 numbering schemes: internal uses 172.16/16; guest uses 172.17/16. NAT is handled on the Internet-facing interface.
The only TCP connections that are permitted from the guest net to the internal net are port 22 (SSH), and that to a designated SSH server on the internal net.
TCP connections from the guest net to the outside world are not restricted, except that port 25 (SMTP -- email) is only permitted to the firewall machine. I really dislike spamming, and I don't even want my net responsible for any such incidents accidentally, if I can help it. I may re-visit this at some point.

So I think I'm just about ready to let some neighbors in on the fun. I expect that at first, I'll do it by manually "registering" their MAC addresses, until I get a feel for how well things are working.

But I think there may be an issue with getting the signal(s) where they need to be. Where my spouse & I live is a semi-rural area of Redwood City, just below Emerald Hills. And the ground doesn't tend to have too many horizontal planes around our area. Indeed, as the below diagram depicts, the upper part of our back yard is above the peak of our roof; our garage is under our (nominally single-story) home; the floor of the garage is about 5' above the street. And the ground across the street is below street level (the creek that inspired the name for Canyon Rd. runs in back of our across-the-street neighbors' houses).

Profile of lot, looking west

We see here a rough diagram of the profile (looking due west) of the area where our house is. The salient features, from the left, are:

A neighbor's house. This one is 2 stories high. I didn't bother trying to show their yard.
The roadbed of Canyon Rd. Yes, it's all of 20' wide in front of our house.
That brownish ``triangle'' (except that its ``hypoteneuse'' is so irregular) is intended to represent a cross-section of the hillside on which our lot sits.
Going uphill from Canyon Rd., we get to our garage. (The garage isn't as wide as the house, and the back part of the garage is well under the natural grade of the hill.)
Above the garage is our house. The point marked ``A'' in green denotes the present location of the wireless AP, mounted upside-down on the underside of one of the beams that supports the roof. In this location, the only part of the house that doesn't seem to get adequate coverage is the one room where nearly all the other computer stuff is, so the lack of coverage isn't a critical problem: wired connectivity is easily available there.
The dashed green line that intersects point ``A'' shows an approximation of line of sight to a hypothetical point on a neighbor's house. By displaying a grid in the background as I manipulated the drawing, I determined that the green line was at an angle to the horizontal that corresponds to the arctangent of 1/13, which works out to 4.3987 degrees. Given the lack of precision in the drawing itself (for which I measured very little, though I expect it's close enough for discussion -- but not for placing an order for components), I think expressing it as 4.4 degrees is adequate.
Continuing up the hill (to our right, which is north), we cross over a levelled patio area, then get back to going uphill. About 6' south of where the yard levels off for a bit, some prior resident stuck a vertical 4x4 in the ground, which extends 14' above grade at that point. That places the top of the post (marked with a blue ``B'') well above anything else (other than trees) in the yard. I think it brings point ``B'' almost to the level of the floor of the house above/behind us.
I show a dotted blue line intersecting point ``B'' and the same hypothetical point just above our neighbor's house. Using the same approach as for point ``A'', I find that the angle with the horizontal for this line of sight is about 7 degrees.
According to my GPS, the post is at 37 28 13.7 N 122 15 17.3 W, in case that helps someone in figuring out how this is supposed to work.
The line of sight (LOS) distance for point ``A'' is about 92.3'; that for point ``B'' is about 177.4'.
Who's having flashbacks to high school trigonometry right about now?

I'm thinking that the better part of valor would be to see if my neighbor (across the street) -- who has a ham license... -- can cobble up enough of an antenna to get our signal the way things are right now. If so, we should be able to experiment without needing to deal with lengthy cable runs, weather exposure, lightning protection, and expense -- not one of which seems like something I'd miss terribly.

An idea that recently (July, 2002) occurred to me -- as a means of reducing the exposure to damage even in the event of an admittdely rare lightning strike, if nothing else -- would be to use a passive reflector on the top of that post, and beam the RF to it from the house. I'm not sure how good an idea it is, but it is still an idea....

Comments? Please send them to wireless@catwhisker.org -- thanks!

$Id: wireless.html,v 1.5 2002/07/07 04:02:46 david Exp $