For a long time, I wanted to have a FreeBSD dual band AP. I sort of wanted to take the easy way out, so I thought Google would be my friend and lead me to "easy" instructions. Not so. Even searching these forums, the FreeBSD Handbook and FAQ, I found nothing that provided all the pieces. I achieved my goal and would like to share my configuration here. I am by by no means an expert, so I welcome suggestion on improvements.
The router/AP consists of two Atheros dual band PCI-e, one PCI-e Realtek gigabit ethernet card and an onboard Atheros gigabit ethernet. The Realtek card is the WAN connection to the outside world, the on board Atheros NIC connects to an 8 port switch for wired connections (mainly printers). The two wireless interfaces are bridged with the wired LAN interface, network addresses are served on and NAT is done on the bridge interface. The SSID for the 2GHz band is "ICE_Van_2G" and the 5GHZ band "ICE_Van_5G" You'll want to change these!
Software used:
I use
So, let's get started:
The system's network hardware must be known:
re0 - PCI-e gigabit NIC
ath0 - PCI-e wireless card
alc0 - onboard gigbit NIC
ath1 - PCI-e wireless card
1) Install net/isc-dhcp43-server
2) Edit /boot/loader.conf
3) Edit /etc/rc.conf
Syntax here is available via the FreeBSD handbook. I suggest printing the iconfig() manual page, it's a great reference. Upon system reboot, the wlan0 ad wlan1 interfaces with be configured in AP mode and added to the bridge with alc0. The bridge will be assigned an IP address and the DHCP server and NAT will run on it.
4) Edit /usr/local/etc/dhcpd.conf
Just delete what's in there already. Since I'm not running a DNS servers, I send 3 servers for the clients to use. I also ensure that my main computer "Cerberus" is always assigned the same address.
5) Edit /etc/dhclient.conf
I prepend my chosen DNS servers, so I'm not forced to use my ISP's.
6) Create the /etc/hostapd-wlanX.conf files.
7) Following the Chapter 8 of The FreeBSD Handbook on configuring a custom kernel, append the following lines to the end of the configuration file:
8) Create / edit /etc/pf.conf
9) Reboot and you're set to go.
10) Software I use for monitoring:
vnstat net/vnstat
bwm-ng net-mgmt/bwm-ng
nload net/nload
darkstat net-mgmt/darkstat
The router/AP consists of two Atheros dual band PCI-e, one PCI-e Realtek gigabit ethernet card and an onboard Atheros gigabit ethernet. The Realtek card is the WAN connection to the outside world, the on board Atheros NIC connects to an 8 port switch for wired connections (mainly printers). The two wireless interfaces are bridged with the wired LAN interface, network addresses are served on and NAT is done on the bridge interface. The SSID for the 2GHz band is "ICE_Van_2G" and the 5GHZ band "ICE_Van_5G" You'll want to change these!
Software used:
- The router/AP is not DNS server. (No unbound or BIND)
- The base system install of pf is used for the firewall and NAT.
- The base system install of hostapd is used for WPA authentication.
- net/isc-dhcp43-server is used for serving ipv4 addresses.
- A lot of online documentation leads one to believe that a lot of the wireless interface configuration should be done in /etc/hostapd.conf. I found this to NOT be true. My /etc/hostapd.conf files are used solely for WPA configuration.
- As much configuration as possible should be done in /etc/rc.conf, especially wireless interface configuration.
- If HT capability is necessary, it must be done via
ifconfig
in /etc/rc.conf, it cannot be configured in hostapd.conf - The documentation to automagically load up two instances of
hostapd
upon boot is non-existent. Examination of the /etc/rc.d/hostapd only revealed the "secret" of appending 'wlanX' to 'hostapd' to create /etc/hostapd-wlanX.conf
I use
ee
as my editor, if vi
, nano
or any other editor is used, please invoke that where ee
is seen below.So, let's get started:
The system's network hardware must be known:
pciconf -lv
Code:
re0@pci0:1:0:0: class=0x020000 card=0x34687470 chip=0x816810ec rev=0x06 hdr=0x00
vendor = 'Realtek Semiconductor Co., Ltd.'
device = 'RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller'
class = network
subclass = ethernet
ath0@pci0:3:0:0: class=0x028000 card=0x3a7e1186 chip=0x0030168c rev=0x01 hdr=0x00
vendor = 'Qualcomm Atheros'
device = 'AR93xx Wireless Network Adapter'
class = network
alc0@pci0:4:0:0: class=0x020000 card=0xe0001458 chip=0x10831969 rev=0xc0 hdr=0x00
vendor = 'Qualcomm Atheros'
device = 'AR8151 v2.0 Gigabit Ethernet'
class = network
subclass = ethernet
ath1@pci0:5:0:0: class=0x028000 card=0x30a4168c chip=0x002e168c rev=0x01 hdr=0x00
vendor = 'Qualcomm Atheros'
device = 'AR9287 Wireless Network Adapter (PCI-Express)'
class = network
re0 - PCI-e gigabit NIC
ath0 - PCI-e wireless card
alc0 - onboard gigbit NIC
ath1 - PCI-e wireless card
1) Install net/isc-dhcp43-server
cd /usr/ports/net/isc-dhcp43-server
make rmconfig
make clean && make install clean
2) Edit /boot/loader.conf
echo 'if_bridge_load="YES"' >> /boot/loader.conf
echo 'bridgestp_load="YES"' >> /boot/loader.conf
3) Edit /etc/rc.conf
Syntax here is available via the FreeBSD handbook. I suggest printing the iconfig() manual page, it's a great reference. Upon system reboot, the wlan0 ad wlan1 interfaces with be configured in AP mode and added to the bridge with alc0. The bridge will be assigned an IP address and the DHCP server and NAT will run on it.
ee /etc/rc.conf
Code:
hostname="Zaphod"
ipv6_activate_all_interfaces="YES"
ifconfig_alc0="up"
ifconfig_re0="DHCP -lro -tso"
ifconfig_re0_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostapd"
ifconfig_wlan0="up HOSTAP country US ssid ICE_Van_5G mode 11na channel 153:ht/40- indoor shortgi regdomain FCC3 wme dotd"
wlans_ath1="wlan1"
create_args_wlan1="wlanmode hostapd"
ifconfig_wlan1="up HOSTAP country US ssid ICE_Van_2G mode 11ng channel 11:ht/40- indoor shortgi regdomain FCC3 wme dotd"
cloned_interfaces="bridge0"
ifconfig_bridge0="inet 10.191.135.1/24 addm wlan0 addm wlan1 addm alc0 up"
defaultrouter="XXX.XXX.XXX.XXX"
dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bridge0"
gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="var/log/pflog"
sshd_enable="YES"
ntpd_enable="YES"
ntpd_flags="-g"
powerd_enable="YES"
devd_enable="YES"
microcode_update_enable="YES"
darkstat_enable="YES"
darkstat_interface="re0"
vnstat_enable="YES"
4) Edit /usr/local/etc/dhcpd.conf
Just delete what's in there already. Since I'm not running a DNS servers, I send 3 servers for the clients to use. I also ensure that my main computer "Cerberus" is always assigned the same address.
ee /usr/local/etc/dhcpd.conf
Code:
option domain-name-servers 209.244.0.3, 208.67.222.222, 156.154.70.1;
option subnet-mask 255.255.255.0;
default-lease-time 14400;
max-lease-time 86400;
subnet 10.191.135.0 netmask 255.255.255.0 {
range 10.191.135.31 10.191.135.100;
option routers 10.191.135.1;
}
host Cerberus {
fixed-address 10.191.135.2;
hardware ethernet 00:24:d6:86:f5:da;
}
5) Edit /etc/dhclient.conf
I prepend my chosen DNS servers, so I'm not forced to use my ISP's.
ee /etc/dhclient.conf
Code:
interface "re0" {
send host-name "Zaphod";
prepend domain-name-servers 209.244.0.3, 208.67.222.222, 156.154.70.1;
}
6) Create the /etc/hostapd-wlanX.conf files.
ee /etc/hostapd-wlan0.conf
Code:
interface=wlan0
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
wpa=2
wpa_passphrase=t0p!secret&PWD
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
ee /etc/hostapd-wlan1.conf
Code:
interface=wlan1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
wpa=2
wpa_passphrase=ultra_S3cr3t~pwd
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
7) Following the Chapter 8 of The FreeBSD Handbook on configuring a custom kernel, append the following lines to the end of the configuration file:
Code:
# Firewall
device pf
device pflog
device pfsync
options ALTQ
options ALTQ_CBQ # Class Bases Queuing (CBQ)
options ALTQ_RED # Random Early Detection (RED)
options ALTQ_RIO # RED In/Out
options ALTQ_HFSC # Hierarchical Packet Scheduler (HFSC)
options ALTQ_PRIQ # Priority Queuing (PRIQ)
options ALTQ_NOPCC # Required for SMP build
# FAST IPsec Support
device crypto
device cryptodev
device aesni
device enc
8) Create / edit /etc/pf.conf
ee /etc/pf.conf
Code:
### pf.conf
## macros
# internal and external interfaces
int_if = "bridge0"
ext_if = "re0"
# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
## options
set block-policy drop
set loginterface $ext_if
set skip on lo0
## scrub
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble
scrub in on $ext_if all fragment reassemble
## nat/rdr
# NAT traffic from internal network to external network through external interface
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
# Pass HP DirectJet to correct printers
rdr pass on $ext_if inet proto tcp from any to port 9100 -> 10.191.135.16 port 9100
rdr pass on $ext_if inet proto tcp from any to port 9101 -> 10.191.135.15 port 9100
rdr pass on $ext_if inet proto tcp from any to port 9102 -> 10.191.135.14 port 9100
## filter rules
block in on $ext_if all
antispoof for $ext_if inet
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF
# block incoming traffic from private networks on external interface
block in quick on $ext_if from $priv_nets to any
# allow access to ssh on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state
# allow in ping replies
pass in inet proto icmp all icmp-type echoreq keep state
# allow all internal traffic
pass in on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
# allow all traffic out via external interface
pass out on $ext_if proto {tcp, udp, icmp } all modulate state flags S/SAFR
pass out on $ext_if inet6 proto { tcp, udp, icmp6 } all modulate state flags S/SAFR
9) Reboot and you're set to go.
shutdown -r now
10) Software I use for monitoring:
vnstat net/vnstat
bwm-ng net-mgmt/bwm-ng
nload net/nload
darkstat net-mgmt/darkstat