OK for those looking on, and in case I ever need "clue bat" in the future. This is how I managed to setup a wireless AP on a box whose NIC (re0) faces the internet -- has a static
public IP only, and uses
pf(4) as it's filter.
LAYOUT:
internet <=== (re0)FreeBSD-box(ath0)
IOW the box has 2 NIC's; an re0 (ethernet/internet), and an
ath(4)0(wireless)
Configuration:
[man=5]rc.conf[/man]:
Code:
# /etc/rc.conf
#------ NET -------------------------------------------#
hostname="host-name.domain-name.tld"
ifconfig_re0="inet XXX.YYY.ZZZ.86 netmask 255.255.255.0"
defaultrouter="XXX.YYY.ZZZ.1"
ifconfig_re0_ipv6="inet6 accept_rtadv"
#------ WIRELESS --------------------------------------#
wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap country US"
ifconfig_wlan0="inet 172.16.0.1 netmask 255.255.255.0 ssid WIFI_GW mode 11ng channel 11"
gateway_enable="YES"
pf_enable="YES"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"
#------ SERVICES --------------------------------------#
syslogd_flags="-ss"
dnsmasq_enable="YES"
dnsmasq_logfile="/var/log/dnsmasq_log"
[man=5]pf.conf[/man]:
Code:
# /etc/pf.conf
# names/labels chosen in this post for easier reading
interweb="re0"
wireless="wlan0"
set loginterface $interweb
set block-policy drop
set fingerprints "/etc/pf.os"
set skip on lo
scrub in all
# wireless
nat on $interweb inet from ! ($interweb) to any -> ($interweb)
#block in log quick all
block in log quick on $interweb all
pass out all keep state
table <trusted> { <a comma separated list of other public IP's in my network> }
antispoof quick for lo0
antispoof for $interweb inet
pass quick on $interweb proto udp from any to any port { domain, ntp } keep state
pass in quick on $interweb from <trusted> to any keep state
# note: some people may want to add additional lines for ICMP related
# stuff. The above works for me(tm) So I'll not address it here
# please see:
# https://www.freebsd.org/doc/en/books/handbook/firewalls-pf.html
# if you need more info
[port]dns/dnsmasq[/port].conf
:
Code:
# /usr/local/etc/dnsmasq.conf
# the following 2 lines are ONLY required if you don't have
# a recursive DNS serving your network
#server=<DNS_SERVER_IP_#1>
#server=<DNS_SERVER_IP_#2>
dhcp-range=wlan0,172.16.0.10,172.16.0.15,255.255.255.0,24h
# the mac address of a device you want to assign a static HOST name to
dhcp-host=uu:vv:ww:xx:yy:zz:,my-wireless-device1
dhcp-option=option:router,172.16.0.1
# Android devices sing loudly, and frequently to google
# this is a waste of packets. So let's stop it here
address=/clients3.google.com/127.0.0.1
address=/clients.l.google.com/127.0.0.1
# Logging facilities
log-facility=/var/log/dnsmasq.log
# note: after determining everything works as desired
# You may want to nuke the following line, and ONLY the following line
log-queries
log-dhcp
log-async
Here are the results using the above configuration:
The ethernet (re0):
Code:
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=8209b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,WOL_MAGIC,LINKSTATE>
ether 34:97:f6:9f:d1:8f
inet XX.YY.ZZ.86 netmask 0xffffff00 broadcast XX.YY.ZZ.255
inet6 fe80::3697:f6ff:fe9f:d18f%re0 prefixlen 64 scopeid 0x1
nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
This is a good card, and I may have done better choosing
bridg(4)ing for
my setup. Which would have provided hardware tagging. for better performance.
The wireless (ath0):
Code:
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether ec:08:6b:fd:cd:5a
inet 172.16.0.1 netmask 0xffffff00 broadcast 172.16.0.255
nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>
media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
status: running
ssid WIFI_GW channel 11 (2462 MHz 11g ht/40-) bssid ec:08:6b:fd:cd:5a
regdomain FCC country US indoor ecm authmode OPEN privacy OFF
txpower 30 scanvalid 60 protmode CTS ampdulimit 64k ampdudensity 8
shortgi -ldpc wme burst dtimperiod 1 -dfs
groups: wlan
This
ath(4) card also supports hardware tagging/offloading and other "goodies". Another reason I might have been better off using
bridge(4).
Please note:
The above configuration is
essentially open. I'm filtering on MAC addresses, as a means of authentication. In my situation, this method will suffice. But in
your situation, it may
not. In any case, you would do well to have a look at the
hostapd(8) man pages. As it offers many other "features" not covered here. In any case, this is a good starting point for anyone working on a similar application of a Wireless Access Point on FreeBSD.
A special thanks to
Phishfry , and
ralphbsz , for providing me the "clue bats" necessary to accomplish this, and
especially to
Phishfry , for his persistence!
Thanks!
--Chris