Solved Help plumbing a wireless AP

Greetings,
I have 8 static (internet) IP's for my home network. The topology is thus:
cable-modem<---16-port-switch<---hosts/clients
So given that all the boxes w/static IP's provide internet services. I've decided that
the best way to service all my home "clients" and devices, would be to simply add
a wifi AP to one of the "service" boxes as an AP. Done. The AP details are as follows:
Code:
ath0: <Atheros 9287> mem 0xfe300000-0xfe30ffff irq 16 at device 0.0 on pci3
ath0: RX timestamp: 32 bits
ath0: TX timestamp: 32 bits
ath0: [HT] enabling HT modes
ath0: [HT] enabling short-GI in 20MHz mode
ath0: [HT] 1 stream STBC receive enabled
ath0: [HT] 1 stream STBC transmit enabled
ath0: [HT] 2 RX streams; 2 TX streams
ath0: 11b rates: 1Mbps 2Mbps 5.5Mbps 11Mbps
ath0: 11g rates: 1Mbps 2Mbps 5.5Mbps 11Mbps 6Mbps 9Mbps 12Mbps 18Mbps 24Mbps 36Mbps 48Mbps 54Mbps
ath0: 2T2R
ath0: 11ng MCS 20MHz
ath0: MCS 0-7: 6.5Mbps - 65Mbps
ath0: MCS 8-15: 13Mbps - 130Mbps
ath0: 11ng MCS 20MHz SGI
ath0: MCS 0-7: 7Mbps - 72Mbps
ath0: MCS 8-15: 14.5Mbps - 144.5Mbps
ath0: 11ng MCS 40MHz:
ath0: MCS 0-7: 13.5Mbps - 135Mbps
ath0: MCS 8-15: 27Mbps - 270Mbps
ath0: 11ng MCS 40MHz SGI:
ath0: MCS 0-7: 15Mbps - 150Mbps
ath0: MCS 8-15: 30Mbps - 300Mbps
ath0: AR9287 mac 384.2 RF5133 phy 15.15
ath0: 2GHz radio: 0x0000; 5GHz radio: 0x00c0
ath0: Use hw queue 1 for WME_AC_BE traffic
ath0: Use hw queue 0 for WME_AC_BK traffic
ath0: Use hw queue 2 for WME_AC_VI traffic
ath0: Use hw queue 3 for WME_AC_VO traffic
ath0: Use hw queue 8 for CAB traffic
ath0: Use hw queue 9 for beacons
ath0: using multicast key search

A pretty good PCIe adapter, if anyone's looking to get one, and at ~$25 US. It's
even better. :)
So. What I'm hoping to achieve here, is to make this box service requests for
access to the internet, as well as continue to provide the internet services it
already serves.
Current rc.conf(5):
Code:
# ether
ifconfig_re0="inet XXX.YYY.ZZZ.86 netmask 255.255.255.0"
defaultrouter="XXX.YYY.ZZZ.1"
ifconfig_re0_ipv6="inet6 accept_rtadv"
# wireless
I'm comfortable enough getting the wireless to work. I've compiled all the necessary
wireless stuff into my kernel. The part that I'm struggling with is; what would be the
best way to plumb this to serve requests from the AP to the internet. I've read at least
30 different "recipes", and now I'm at a loss as to which way would be best.
So I'm hoping someone here might have already done something like this, and be
willing to share their experience/formula.

Thank you for all your time, and consideration.

--Chris
 
Some things I have found: /etc/rc.conf ifconfig wlan0 entry gets most all the hardware settings and hostapd.conf should just do the WPA2 stuff.
Debugging hostapd is simple if you run it in foreground with -dd option. Get it working before starting the service.

You need to choose a DHCP server to install. DNSMasq works well.
 
I used to do this, using a *BSD machine as an AP. Started that with OpenBSD, then switched to FreeBSD (to a large extent because the device drivers for 802.11 on OpenBSD were not production quality at the time).

I never used a recipe. Instead, I configured my *BSD machine to be a firewall (using PF), and a router (using IP forwarding). In my case, I have a single pseudo-static external IP address, so I have to do NAT in my PF configuration, but that's really easy. For FreeBSD, the initial setup of the hardware ports (two wired ethernets, one incoming from the outside world, one for the internal wired network that goes to a switch, plus the wireless card that's being used as an AP) was in /etc/rc.conf, no problem. I also used various Atheros cards (in various form factors).

I already run DNS, DHCP, NTP, ... servers on my home machine anyhow (it is a NATing router), independent of whether it routes via wired or wireless. So being an AP didn't cause any extra work in that regard.

The problem for me was always that using a *BSD machine as an AP was never reliable enough. Under OpenBSD, about 5 years ago, there was no hope, because the hardware support for Atheros cards was lacking, or the drivers were fantastically unreliable. Under FreeBSD 9.X, it actually worked for days at a time, but I had to frequently reboot my FreeBSD server, certain clients (notably Apple Mac laptops) would not work without specialized settings, and there was a flood of "ath0: stuck beacon" messages that wiped out my logs and would regularly hang or crash the machine. After fighting this for about 5 years, I gave up, went to an Apple store and bought an AirPort (the cheapest model, under $100), which has worked flawlessly ever since. By the way, this is not meant as a ringing endorsement of Apple, but it so happens that the closest computer store and the only one that doesn't require a detour from my commute happens to be an Apple store; a LinkSys/NetGear/Belkin might also have worked just fine.

In retrospect, trying to use a generic commodity OS as an access point was a fool's errand. The amount of labor required to configure and maintain it doesn't make it worth the cost saving at all, if time has any value. And my experience was that this is just not reliable; other people may disagree.

If you want me to find the old pf.conf and rc.conf file from that era, I can do a small amount of digging and post them.
 
Thanks for the replies, Phishfry and ralphbsz !
ralphbsz Hmmm... initially this looked like it'd be pretty easy; creating the wlan device && scanning the device caps were easy, and the output was good. Now that I've been actually trying to get working. It's all not looking so nice. Maybe you're right. :-(
Phishfry
You seem to have had a good go with all this. What's the secret?
I can get the wlan0(4) device active, in AP mode, and assigned an IP. But that's it! But hostapd(4) doesn't appear to be (well) supported -- if at all. :-(
Here's my setup. It's not the way I ultimately want to go. But seemed the easiest to start with. It's NATted. But I really intend to go via mac addresses, and tagging... anyway;
[B]rc.conf[/B]:
Code:
hostname="trump.whitehouse.gov" # kidding ;-)
ifconfig_re0="inet <public-IP> netmask 255.255.255.0"
defaultrouter="<PUBLIC-IP-GATEWAY>"
ifconfig_re0_ipv6="inet6 accept_rtadv"

wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
hostapd_enable="YES"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0"

pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

dnsmasq_enable="YES"
dnsmasq_logfile="/var/log/dnsmasq_log"
[B]hostapd.conf:[/B]
Code:
interface=wlan0

logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

ssid=wireless-gw

#ieee80211n=1

hw_mode=g

channel=165

beacon_int=100

dtim_period=2

max_num_sta=255

rts_threshold=2347

fragm_threshold=2346

macaddr_acl=0

auth_algs=3

ignore_broadcast_ssid=0

wmm_enabled=1

wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0

wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0

wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0

wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0

wpa=2

wpa_passphrase=sumsecretpass

wpa_key_mgmt=WPA-PSK

wpa_pairwise=CCMP
rsn_pairwise=CCMP
After initial creation with the above rc.conf entry:
Code:
wlan0: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect <hostap> (autoselect <hostap>)
        status: no carrier
        ssid "" channel 1 (2412 MHz 11g ht/40+)
        regdomain 32924 country CN indoor ecm authmode OPEN privacy OFF
        txpower 20 scanvalid 60 protmode CTS ampdulimit 64k ampdudensity 8
        shortgi -ldpc wme burst dtimperiod 1 -dfs
        groups: wlan
[B]service hostapd start[/B]
Code:
Starting hostapd.
Configuration file: /etc/hostapd.conf
bsd_set_if_media: SIOCSIFMEDIA Device not configured
bsd_init: failed to set operation mode
bsd driver initialization failed.
wlan0: interface state UNINITIALIZED->DISABLED
wlan0: AP-DISABLED
hostapd_free_hapd_data: Interface wlan0 wasn't started
ELOOP: remaining socket: sock=5 eloop_data=0x801c78000 user_data=0x0 handler=0x41b240
/etc/rc.d/hostapd: WARNING: failed to start hostapd
So appears hostapd(8) doesn't support wireless adapters -- at least not anymore?! :confused:
Or is it just intended to tear down a wireless device/connection? Everything in the hostapd.conf(5) file, is taken from the one shipped w/FreeBSD, almost verbatim!

Sincerely,
Frustrated. :(
 
I never had to use hostapd, because at our location authentication was not even necessary (there are sufficient physical boundaries). Here is all the setup required in rc.conf to run the Atheros card du jour in AP mode:
Code:
# Wireless access point:
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 192.168.1.1 netmask 255.255.255.0 ssid LindaRalphJohn mode 11g channel 6"
Done.

A few comments about your configuration: I don't think you need to copy my "mode 11g channel 6" settings. But I think you have to have the SSID.

Can you try running it this way a little bit without hostapd, and therefore without authentication? If it works now, then at least you know you are basically there, and hopefully no intruders will get in during a short test.

Another warning: Be careful to check your pf.conf very carefully. It is super-easy with a little typo in there to make things non-working. For example, I've had problems with using the "egress" interface, and sometimes putting multiple interfaces into an array doesn't seem to work, but explicitly duplicating rules to show both interfaces does. It's weird, and I've never found time to fully debug it (it happens to work correctly now, don't mess with it). If you don't need PF for real production (you only want it because of security), then maybe disable it for a few minutes and see whether things start working.[/cmd]
 
Thanks for the reply, and throwing me a bone, ralphbsz !
My pf foo, is quite good. So I know I'm covered there. But all-in-all there are a lot of moving parts. So orchestration is key. I also wouldn't use authentication. In fact, my final goal is to use mac based filtering (white list, if you will). But for a couple of reasons; I want to tag the traffic. Which will allow me to dump the pf NAT'ing. I'm only doing it now, cause it's the fastest way to smoke-test the whole thing. I'll give your recommendation a shot, and report my findings.

Thanks again, ralphbsz !

--Chris
 
OK I guess there's at least a little progress...
[B]Before:[/B] w/o ssid added
Code:
wlan0: flags=8c02<BROADCAST,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
        ssid "" channel 11 (2462 MHz 11g ht/40-)
        regdomain 32924 country CN indoor ecm authmode OPEN privacy OFF
        txpower 20 bmiss 7 scanvalid 60 protmode CTS ampdulimit 64k
        ampdudensity 8 shortgi -ldpc wme burst
        groups: wlan

[B]After:[/B] with ssid added
Code:
wlan0: flags=8c43<UP,BROADCAST,RUNNING,OACTIVE,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect (autoselect)
        status: no carrier
        ssid 1777_350Mb_GW channel 9 (2452 MHz 11g)
        regdomain 32924 country CN indoor ecm authmode OPEN privacy OFF
        txpower 20 bmiss 7 scanvalid 60 protmode CTS wme burst bintval 0
        groups: wlan

I think I have a ways to go yet. :-(
Reading all the articles on the interweb, you'd think this'd be a piece of cake. Hell, not really all that hard to comprehend. But following the "written" instructions apparently isn't the way to go.

Thanks again, ralphbsz !

--Chris
 
Alright. For anyone following along (perhaps in the future). ralphbsz intimation about pushing the configuration into rc.conf(5) appears to be pretty much spot on. A bit more research indicates this to be mandatory. Pity the man(1) pages are so misleading. :(
I'll start plugging in as much as I can get into rc.conf(5), and report back as to exactly what is possible.

--Chris
 
While I don't disagree with your observation about putting things into rc.conf(5)(), that makes no sense. There is no magic to putting information into there. All that does is: feed commands that are executed by the system of rc scripts which "read" rc.conf(5)() (they actually execute it, by virtue of it setting variables). Those scripts then issue commands (such as ifconfig) which you could also have issued from a command line yourself.

Suggestion to help debug things: Read the rc.scripts (the word "ifconfig" only shows up in a handful of them), and see what they do with the parameter settings from rc.conf(5)(). Once you know where the initialization of the wireless device happens, you could even add some debugging statements (like echo'ing) to those scripts see what is really going on.

Totally different topic of discussion, probably inappropriate for a FreeBSD-specific forum: Wireless security. You are proposing to use mac-address filtering as a form of access control. But mac addresses can be easily spoofed: just passively listen to the wireless traffic for a while, find a valid address, and change the address of your device to a valid one. This is easy enough that it is done by high school students (for example at my son's school: even though he is a band kid, he is friends with a few students from the robotics club which is where the hackers hang out, so his laptop works good at school). If you are really worried about people using your wireless signal (either just to use bandwidth, or worse to get into your internal network), you need something stronger, and WPA2 seems to be the standard solution these days. For our house, this is not an issue, due to physical security: We are very remote (about half a mile from the nearest residence or road), we're behind a gate, the AP is in a basement that happens to be shielded (ferroconcrete) so the signal is only available within the house and in the airspace above. If there is a burglar in the house, or a helicopter hovering right above our roof, then unauthorized access to our internal network is the least of my problems. Most people have their access points in areas that are physically more accessible, and need better authentication though.
 
Hello, ralphbsz , and thanks for the reply.
I have no disagreement to any of your contradictions to my intentions :)
MAC filtering/security. I'm also fairly remote -- on a half acre of property on a dead end street in the middle of nowhere.
The only concern I have, is for the kids at the end of the street, and (fortunately for me) they are NOT tech savvy. Further, the current strategy I've been using with a cheap d-link wireless router to provide a "hotspot" for the internet. Has used a MAC whitelist, as the only access restriction, and it has proven adequate enough to thwart any attempts on their part.
So, while not a truly high barrier to entry. It's proven "good enough" :)
rc.conf(5) related;
OK after posting my findings above, I was able to bring the ath(4)/wlan0 up -- at least to the extent that it should "work". I used the following:
[man=5]rc.conf[/man]:
Code:
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
hostapd_enable="YES"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid CRAPPY_WIFI_GW"
[man=8]hostapd[/man]:
Code:
interface=wlan0

logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2

ctrl_interface=/var/run/hostapd

#ssid=CRAPPY_WIFI_GW      # doesn't work (for me) in hostapd.conf

ctrl_interface_group=0

#ieee80211n=1          # 802.11n support -- doesn't work/isn't supported (in FreeBSD)
#ieee80211ac=1         # 802.11ac support -- SHOULD work, but doesn't

hw_mode=a              # a/c/g/n -- ga SHOULD work, but doesn't work
                       # in fact I can only use g OR a :-(

#channel=165           # SHOULD work, but doesn't
                       # in fact, I can't seem to use this setting at all in hostapd.conf
beacon_int=100

dtim_period=2

max_num_sta=255

rts_threshold=2347

fragm_threshold=2346

macaddr_acl=0

auth_algs=1

ignore_broadcast_ssid=0

wmm_enabled=1

wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0

wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0

wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0

wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0

wpa=2

wpa_passphrase=<some_pass>

wpa_key_mgmt=WPA-PSK

wpa_pairwise=CCMP
rsn_pairwise=CCMP
All of which results in the following:
[man=8]ifconfig[/man]:
Code:
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11b <hostap>
        status: running
        ssid CRAPPY_WIFI_GW channel 1 (2412 MHz 11b) bssid ec:08:6b:fd:cd:5a
        regdomain 32924 country CN indoor ecm authmode WPA2/802.11i
        privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
        txpower 20 scanvalid 60 wme burst dtimperiod 1 -dfs
        groups: wlan

Not at all ideal. But it's at least a step in the right direction.
I'll just have to keep poking at it, until I can get it into some satisfactory position to make it work as hoped/intended.

Thanks again, ralphbsz for the reply!

--Chris
 
The reason I did not leave you my files is you need to learn this.
Notice in ralphbsz ifconfig line, how he has channel and mode. That is how it needs to be.
Like I said earlier the only stuff needed in hostapd.conf is the interface= and wpa2 stuff.
No radio stuff.
The 'mode' setting you are missing is 11na or 11ng depending on which band you are using.

ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid CRAPPY_WIFI_GW mode 11na channel 165"
 
Your country code on the wireless looks like it is country=CN
I would fix that too. You can do it two ways. Pass country code in ifcong line or set the firmware right.
https://wiki.freebsd.org/WiFiRegulatory

The FreeBSD installer has an app that pops up during wireless setup that allows you to pick your country. I dunno if its pulling the default country from firmware or what. You could try switching it there. I am unsure about that bsdinstaller script that sets the county. I been meaning to look at the code and see what it does. As a user you are allowed to change the default country. Checkout Linux CRDA for example.
 
The reason I did not leave you my files is you need to learn this.
I was already suffering. So I came here for help -- thanks.
OK so I performed what looked like I was following the advice. But now it appears I'm moving backward. :-(
ifconfig wlan0 destroy
ifconfig wlan0 create wlandev ath0 wlanmode hostap
Code:
# bpf attached
bpf attached
Ethernet address: ec:08:6b:fd:cd:5a
ifconfig wlan0 inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11na
Code:
ifconfig: SIOCSIFMEDIA (media): Device not configured
The same output occurs when I add a channel:
ifconfig wlan0 inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11na channel 156
ifconfig(8)indicates that wlan0 was created, but no (IP) address is attached.

Back to the drawing board, for me...

hostapd(8) complains that it cannot change the country code/origin too country_code=US.

Thanks for trying, anyway.

--Chris
 
Have you tried 11ng ?

Country code belongs in your ifconfig.
/etc/rc.conf
Code:
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country US"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11ng"
 
OK finally got something that at least works. It's far from ideal. But I can at least start working with it. In hopes of getting it to something more usable.
FWIW here's the only way I could initiate it into a usable state:
ifconfig wlan0 destroy
ifconfig wlan0 create wlandev ath0 wlanmode hostap
ifconfig wlan0 inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW
The addition/use of channel, or country only served to make it unusable / alterable.
[man=5]rc.conf[/man]:
Code:
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
hostapd_enable="YES"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW"
The hostapd(8) config is the same as above, with the exception that I added the ssid

Now it's time to see how I can actually gain control of the frequencies / mode && channel.

Wish me luck!

--Chris
 
Have you tried 11ng ?

Country code belongs in your ifconfig.
/etc/rc.conf
Code:
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country ??"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11ng"
Not according to ifconfig(8):
Code:
country name
        Set the country code to use in calculating    the regulatory con-
         straints for operation.  In particular the    set of available chan-
         nels, how the wireless device will    operation on the channels, and
         the maximum transmit power    that can be used on a channel are
         defined by    this setting.  Country/Region codes are    specified as a
         2-character abbreviation defined by ISO 3166 or using a longer,
         but possibly ambiguous, spelling; e.g., "ES" and "Spain".    The
         set of country codes are taken from /etc/regdomain.xml and    can
         also be viewed with the ``list countries''    request.  Note that
         not all devices support changing the country code from a default
         setting; typically    stored in EEPROM.  See also regdomain, indoor,
         outdoor, and anywhere.
Well. At least that's what it said. But I appreciate your trying. :)
 
It has to go before mode and channel because it controls them. Some countries may not allow 5ghz or a certain frequency.

Your channel list may be different after setting country code.
 
Thanks, Phishfry !
Well. This is what I have so far:
Code:
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
        status: running
        ssid WIFI_GW channel 1 (2412 MHz 11g ht/40+) bssid ec:08:6b:fd:cd:5a
        regdomain FCC country US indoor ecm authmode WPA2/802.11i
        privacy MIXED deftxkey 2 AES-CCM 2:128-bit AES-CCM 3:128-bit
        txpower 30 scanvalid 60 protmode CTS ampdulimit 64k ampdudensity 8
        shortgi -ldpc wme burst dtimperiod 1 -dfs
        groups: wlan
I think (based on the info I provided at the top) I can get better throughput on this card. But at least I have something that I can actually try and tweak now (thanks again).
I'm also struggling with the filtering (pf(4)). Prior to setting this up. I dropped anything that I didn't originate. But I'm now seeing probes. This is my first use of NAT. Don't care for it, but it made the initial setup, and testing a bit quicker.
FWIW this is what I'm now using:
Code:
ext="re0"
wifi="wlan0"

set loginterface $ext
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo0

scrub in all
# wireless
nat on $ext from $wifi:network to !($ext) -> ($ext)

block in log quick all
pass out all keep state

table <trusted> { <string of comma separated local public IP's>  }

antispoof quick for lo0
antispoof for $ext inet

pass quick on $ext proto udp from any to any port { domain, ntp } keep state

pass in quick on $ext from <trusted> to any keep state
pass in log on $wifi inet
I hacked this up pretty quickly, and as a result I leaned on the side of leaneancy, rather that strictness. In an effort to insure I could actually get the WIFI through. I think it's time I revisit my rules.

Thanks again, Phishfry !

--Chris
 
Here is my minimalist WAP starting point:

/etc/rc.conf
Code:
hostname="APU3"
ifconfig_igb0="DHCP"
sshd_enable="YES"
dumpdev="NO"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap ssid APU3"
hostapd_enable="YES"
ifconfig_wlan0="inet 192.168.100.1 netmask 255.255.255.0"
dnsmasq_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile=/var/log/pflog
defaultrouter="192.168.1.1"
/etc/hostapd.conf
Code:
interface=wlan0
ssid=APU3
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
/usr/local/etc/dnsmasq.conf
Code:
server=8.8.8.8
server=8.8.4.4
dhcp-range=wlan0,192.168.100.10,192.168.100.25,255.255.255.0,24h
dhcp-option=option:router,192.168.100.1
log-facility=/var/log/dnsmasq.log
log-dhcp
log-async
/etc/pf.conf
Code:
ext_if="igb0"
int_if="wlan0"
set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
Code:
root@APU3:~ # ifconfig wlan0
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether 4c:5e:0c:11:65:38
   inet 192.168.100.1 netmask 0xffffff00 broadcast 192.168.100.255
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
   status: running
   ssid APU3 channel 36 (5180 MHz 11a ht/20) bssid 4c:5e:0c:11:65:38
   regdomain FCC country US ecm authmode OPEN privacy OFF txpower 17
   mcastrate 6 mgmtrate 6 scanvalid 60 ampdulimit 64k ampdudensity 8
   shortgi wme burst dtimperiod 1 -dfs
   groups: wlan
 
Last edited:
The above config is for an APU3 with a Microtik module with only 5ghz band offered.
That is why is uses channel 36 when no channel is specified.
On a module with both 2.4ghz and 5ghz bands it defaults to channel 1 unless you specify a channel.

/etc/rc.conf
Code:
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country US ssid phatso channel 157"
hostapd_enable="YES"
ifconfig_wlan0="inet 192.168.200.1 netmask 255.255.255.0"
Code:
root@MIO4:~ # ifconfig wlan0
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
   ether e0:06:e6:9a:b1:01
   inet 192.168.200.1 netmask 0xffffff00 broadcast 192.168.200.255
   nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
   media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
   status: running
   ssid phatso channel 157 (5785 MHz 11a ht/40+) bssid e0:06:e6:9a:b1:01
   regdomain FCC country US indoor ecm authmode OPEN privacy OFF
   txpower 23 mcastrate 6 mgmtrate 6 scanvalid 60 ampdulimit 64k
   ampdudensity 8 shortgi wme burst dtimperiod 1 -dfs
   groups: wlan
It seems you don't need to specify a mode (11na/11ng) simply add channel.
 
Phishfry , thanks for all your clues, and input!
My configuration (while not yet tweaked for speed on the wifi card) seemed to work. I was able to make a connection from my phone. But I later discovered, that when I opened a browser on the phone; dnsmasq would show that it had made the requests for the IP of the web sites, and returned the IP. No web pages ever showed up. So following some of your settings; I added gateway_enable="YES" to rc.conf(5). I already had net.inet.ip.forwarding=1 defined in sysctl.conf(5). But the results are the same -- pages don't show up. Any thoughts on what I'm overlooking?
As it is now, this is my attempted setup, and the configs:
BOX/WIFI_AP:
has one public/static IP attached to it's only NIC (re0)
the NIC is directly connected to a switch, which is connected to a cable-modem

Intent is to allow wireless clients to connect to the internet via the wifi NIC (ath0)

IOW get the system, and re0 to pass packets to anything coming to, and from ath0/wlan0

What I'm doing (wrong?):
Code:
RC.CONF(5)

hostname="host.valid-domain.tld"
ifconfig_re0="inet XXX.YYY.ZZZ.86 netmask 255.255.255.0"
defaultrouter="XXX.YYY.ZZZ.1"
ifconfig_re0_ipv6="inet6 accept_rtadv"
#------ WIRELESS --------------------------------------#
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country US"
hostapd_enable="YES"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11ng"
#--------------------------------------------------------#
dnsmasq_enable="YES"
dnsmasq_logfile="/var/log/dnsmasq_log"

gateway_enable="YES"

pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
hostapd(8)
Code:
interface=wlan0

logger_syslog=-1
logger_syslog_level=2
logger_stdout=-1
logger_stdout_level=2

ctrl_interface=/var/run/hostapd
#dump_file=/var/log/hostapd.dump

ctrl_interface_group=0

ssid=WIFI_GW

#country_code=US

#ieee80211n=1
#ieee80211n=1          # 802.11n support
#ieee80211ac=1         # 802.11ac support

hw_mode=a

chanlist=11-157

##beacon_int=100

##dtim_period=2

##max_num_sta=255

##rts_threshold=2347

##fragm_threshold=2346

macaddr_acl=0

##auth_algs=1

ignore_broadcast_ssid=0

wmm_enabled=1

wmm_ac_bk_cwmin=4
wmm_ac_bk_cwmax=10
wmm_ac_bk_aifs=7
wmm_ac_bk_txop_limit=0
wmm_ac_bk_acm=0

wmm_ac_be_aifs=3
wmm_ac_be_cwmin=4
wmm_ac_be_cwmax=10
wmm_ac_be_txop_limit=0
wmm_ac_be_acm=0

wmm_ac_vi_aifs=2
wmm_ac_vi_cwmin=3
wmm_ac_vi_cwmax=4
wmm_ac_vi_txop_limit=94
wmm_ac_vi_acm=0

wmm_ac_vo_aifs=2
wmm_ac_vo_cwmin=2
wmm_ac_vo_cwmax=3
wmm_ac_vo_txop_limit=47
wmm_ac_vo_acm=0
So, yes. At this time. I simply have it open.

dnsmasq(8)
Code:
# Configuration file for dnsmasq.

# our local (recursive) DNS
##server=XXX.YYY.ZZZ.81

interface=wlan0

listen-address=172.16.0.1

local-service

##dhcp-range=wlan0,172.16.0.10,172.16.0.15,255.255.255.0,12h
dhcp-range=172.16.0.10,172.16.0.15,255.255.255.0,12h

# Currently just my cell-phone
dhcp-host=78:4b:87:e6:bc:d9,172.16.0.15

##dhcp-option=option:router,172.16.0.1

log-facility=/var/log/dnsmasq.log
log-queries
log-dhcp
I tried it with the entries you listed (double-commented) as well as the ones I had been using. Neither seemed to make the difference.

pf.conf(5)
Code:
ext="re0"
wifi="wlan0"

set loginterface $ext
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo0

scrub in all
# wireless
##nat on $ext from $wifi:network to !($ext) -> ($ext)
nat on $ext inet from ! ($ext) to any -> ($ext)

block in log quick all
pass out all keep state

table <trusted> { <comma separated list of public-IP's (internet) attached to our boxes>  }

antispoof quick for lo0
#antispoof for $ext inet

pass quick on $ext proto udp from any to any port { domain, ntp } keep state

pass in quick on $ext from <trusted> to any keep state
pass in quick on $wifi inet
pass in quick on ! $ext inet
You can see from the commented entries that I've attempted a couple of strategies. But neither work. :-(

At this point, I'm either missing something so obvious I can't see it. Or I should be better looking at bridge(4)ing for the correct solution for this.

Any thoughts, or suggestions greatly appreciated.

Thanks again, Phishfry !

--Chris
 
Like I said the hostapd gets no radio settings and you seem to have invalid settings in the dnsmasq.
No idea where "interface=wlan0" comes from as its not found in the example file /usr/local/etc/dnsmasq.conf.sample nor in my example.
I do see you commented out the important line with option:router.
And added this:
dhcp-host=78:4b:87:e6:bc:d9,172.16.0.15

You seem to be adding more stuff than needed.
 
I tried with, and without dhcp-option=option:router,172.16.0.1, as well as wifi="wlan0".
I added, and removed the dhcp-host for convenience. That line has always worked.
I did use your config as listed w/o any of my "extra" settings, except as it pertained to my specific box. But I experienced the same outcome. Domains/hosts resolved. But no web pages.

Thanks for taking the time to reply, Phishfry .

--Chris
 
Back
Top