Solved Help plumbing a wireless AP

When you say 'hosts resolved' can you ping from client machines -IP's and domain names? for example ping .8.8.8.8 and ping google.com.

What does the command resolvconf -l show on the client machine?
 
While I do have a terminal on my cellphone. It's fairly cumbersome. So I don't really use it. OTH I see entries like the following in the dns/dnsmasq log:
Code:
Apr 17 09:54:59 dnsmasq[92513]: query[A] clients3.google.com from 172.16.0.15
Apr 17 09:54:59 dnsmasq[92513]: cached clients3.google.com is <CNAME>
Apr 17 09:54:59 dnsmasq[92513]: cached clients.l.google.com is 172.217.3.174
Apr 17 09:55:07 dnsmasq[92513]: query[A] www.google.com from 172.16.0.15
Apr 17 09:55:07 dnsmasq[92513]: forwarded www.google.com to XXX.YYY.ZZZ.81
Apr 17 09:55:07 dnsmasq[92513]: reply www.google.com is 172.217.3.164
Apr 17 09:55:08 dnsmasq[92513]: query[A] duckduckgo.com from 172.16.0.15
Apr 17 09:55:08 dnsmasq[92513]: forwarded duckduckgo.com to XXX.YYY.ZZZ.81
Apr 17 09:55:08 dnsmasq[92513]: reply duckduckgo.com is 50.18.192.251
Apr 17 09:55:08 dnsmasq[92513]: reply duckduckgo.com is 50.18.192.250
So it's passing queries to the authoritative DNS on my network.
I just don't get the web pages from those queries. For the record, I didn't make the query to google. It appears the phone itself does that (because it's running android?).

Thanks for hanging in there, Phishfry !

--Chris
 
WooHoo! It works!

OK I'm about to tag this one SOLVED. But I'm not happy with the state of my pf.conf(5) file.
Turns out that the problem was my pf.conf(5) file all along. It was too restrictive (in the wlan dept. anyway).
EDIT:
Turns out my original pf.conf(5) rules were fine except for
block in log all
So I'm going to need to find an alternative.
/EDIT
So in desparation, I used your lines, and only your lines, posted in this thread (adapted for my box, of course). I also dropped support for hostapd(8) I get much faster/better speeds, and capabilities, as a result:
Code:
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
        status: running
        ssid WIFI_GW channel 11 (2462 MHz 11g ht/40-) bssid ec:08:6b:fd:cd:5a
        regdomain FCC country US indoor ecm authmode OPEN privacy OFF
        txpower 30 scanvalid 60 protmode CTS ampdulimit 64k ampdudensity 8
        shortgi -ldpc wme burst dtimperiod 1 -dfs
        groups: wlan
I'll just filter by MAC for now. Or figure out some other method, as required.

Thanks a million, Phishfry !
I'd push the thanks button on the conf entries you posted. But I already did, and it won't let me do it again. :(
I owe you a beer, if we should ever meet. :)

--Chris
 
Are you able to serve up the 5ghz channels with your AP? I notice you are on channel 11.
I see some AR928x have firmware mod to fixup some OEM modules for missing 5ghz in a pfSense post..
https://forum.pfsense.org/index.php?topic=111250.0
It's supposed to. :)
I've spent so much time dialing all the settings to actually get it to work. I haven't had a chance to really dig in to make the card itself perform better.
Thanks for the link, Phishfry. I'll give it a look!

--Chris
 
OK for those looking on, and in case I ever need "clue bat" in the future. This is how I managed to setup a wireless AP on a box whose NIC (re0) faces the internet -- has a static public IP only, and uses pf(4) as it's filter.
LAYOUT:
internet <=== (re0)FreeBSD-box(ath0)
IOW the box has 2 NIC's; an re0 (ethernet/internet), and an ath(4)0(wireless)
Configuration:
[man=5]rc.conf[/man]:
Code:
# /etc/rc.conf
#------ NET -------------------------------------------#
hostname="host-name.domain-name.tld"
ifconfig_re0="inet XXX.YYY.ZZZ.86 netmask 255.255.255.0"
defaultrouter="XXX.YYY.ZZZ.1"
ifconfig_re0_ipv6="inet6 accept_rtadv"
#------ WIRELESS --------------------------------------#
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country US"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11ng channel 11"

gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
#------ SERVICES --------------------------------------#
syslogd_flags="-ss"
dnsmasq_enable="YES"
dnsmasq_logfile="/var/log/dnsmasq_log"
[man=5]pf.conf[/man]:
Code:
# /etc/pf.conf
# names/labels chosen in this post for easier reading

interweb="re0"
wireless="wlan0"

set loginterface $interweb
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo

scrub in all
# wireless
nat on $interweb inet from ! ($interweb) to any -> ($interweb)

#block in log quick all
block in log quick on $interweb all
pass out all keep state

table <trusted> { <a comma separated list of other public IP's in my network>  }

antispoof quick for lo0
antispoof for $interweb inet

pass quick on $interweb proto udp from any to any port { domain, ntp } keep state

pass in quick on $interweb from <trusted> to any keep state

# note: some people may want to add additional lines for ICMP related
# stuff. The above works for me(tm) So I'll not address it here
# please see:
# https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
# if you need more info
[port]dns/dnsmasq[/port].conf:
Code:
# /usr/local/etc/dnsmasq.conf

# the following 2 lines are ONLY required if you don't have
# a recursive DNS serving your network
#server=<DNS_SERVER_IP_#1>
#server=<DNS_SERVER_IP_#2>

dhcp-range=wlan0,172.16.0.10,172.16.0.15,255.255.255.0,24h

# the mac address of a device you want to assign a static HOST name to
dhcp-host=uu:vv:ww:xx:yy:zz:,my-wireless-device1

dhcp-option=option:router,172.16.0.1

# Android devices sing loudly, and frequently to google
# this is a waste of packets. So let's stop it here
address=/clients3.google.com/127.0.0.1
address=/clients.l.google.com/127.0.0.1

# Logging facilities
log-facility=/var/log/dnsmasq.log
# note: after determining everything works as desired
# You may want to nuke the following line, and ONLY the following line
log-queries

log-dhcp
log-async

Here are the results using the above configuration:
The ethernet (re0):
Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
        ether 34:97:f6:9f:d1:8f
        inet XX.YY.ZZ.86 netmask 0xffffff00 broadcast XX.YY.ZZ.255
        inet6 fe80::3697:f6ff:fe9f:d18f%re0 prefixlen 64 scopeid 0x1
        nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        media: Ethernet autoselect (1000baseT <full-duplex>)
        status: active
This is a good card, and I may have done better choosing bridg(4)ing for
my setup. Which would have provided hardware tagging. for better performance.
The wireless (ath0):
Code:
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
        ether ec:08:6b:fd:cd:5a
        inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
        nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
        media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
        status: running
        ssid WIFI_GW channel 11 (2462 MHz 11g ht/40-) bssid ec:08:6b:fd:cd:5a
        regdomain FCC country US indoor ecm authmode OPEN privacy OFF
        txpower 30 scanvalid 60 protmode CTS ampdulimit 64k ampdudensity 8
        shortgi -ldpc wme burst dtimperiod 1 -dfs
        groups: wlan
This ath(4) card also supports hardware tagging/offloading and other "goodies". Another reason I might have been better off using bridge(4).
Please note:
The above configuration is essentially open. I'm filtering on MAC addresses, as a means of authentication. In my situation, this method will suffice. But in your situation, it may not. In any case, you would do well to have a look at the hostapd(8) man pages. As it offers many other "features" not covered here. In any case, this is a good starting point for anyone working on a similar application of a Wireless Access Point on FreeBSD.

A special thanks to Phishfry , and ralphbsz , for providing me the "clue bats" necessary to accomplish this, and especially to Phishfry , for his persistence!

Thanks!

--Chris
 
Back
Top