HostAP 802.11n with hostapd

[CallumA]

I'm running 10.1-RELEASE and trying to use my AR9462-based WiFi card as an 802.11n AP (5GHz or 2.4GHz, not decided yet). I can configure the SSID, I can get hostapd to authenticate and encrypt with WPA2 but I can't work out how to make it broadcast 802.11n on the channel I want reliably with HT40!

I've been stuck with this for hours now, I've set this up in Linux before but the same kind of configuration (setting all the modes in the hostapd config) doesn't work the same in FreeBSD.

What I've got in my rc.conf is:

wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="up ssid WiFiAP mode 11a channel 44"

hostapd_enable="YES"

It kind of works but not really, it doesn't like using the channel I tell it to all the time, sometimes it literally decides to do 802.11a only, sometimes it does do 40MHz channels. Even if I disable hostapd and just use the ifconfig settings I get the same problem.

Another problem I have when hostapd is used is that as the system boots up the network is broadcast before hostapd is ready which results in some time where the network has no WPA and is completely open.

I've been trying to follow this doc page to no avail: https://www.freebsd.org/doc/en/books/handbook/network-wireless.html

This is incredibly frustrating, if anyone can help it would be much appreciated!

Thanks in advance.

 

[tOsYZYny]

I am new to FreeBSD and running hostapd on FreeBSD. I have run hostapd on Linux with few issues; however:

1. ifconfig_wlan0 - ssid, this I thought is for connecting to an access point as a client. I don't believe you want to declare that here as this is a hostapd thing and they'll likely be fighting one another to set it.
2. 802.11n is not widely supported
3. Access Point functionality is more limited than on Linux

 

[Phishfry]

Here are the settings I use for an PC Engines APU2
/etc/rc.conf

cloned_interfaces="bridge0"
ifconfig_bridge0="addm igb0 addm igb1 addm igb2 addm wlan0 SYNCDHCP"
wlans_ath0="wlan0"
ifconfig_wlan0="up mtu 1500"
create_args_wlan0="wlanmode hostap country US ssid apu2ap channel 36"
ifconfig_igb0="up"
ifconfig_igb1="up"
ifconfig_igb2="up"
hostapd_enable="YES"
gateway_enable="YES"
pf_enable="YES"
pf_rules="/etc/pf.conf"
defaultrouter="192.168.1.1"

I have to set the wlan0 MTU to use in a bridge.

/etc/hostapd.conf

interface=wlan0
ssid=apu2ap
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
wpa=2
wpa_passphrase=########
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

I use pf for NAT
/etc/pf.conf

ext_if="wlan0"
set skip on lo
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)

root@APU2:~ # ifconfig -vv wlan0
wlan0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 mtu 1500
    ether 4c:5e:0c:11:65:38
    groups: wlan
    ssid apu2ap channel 36 (5180 MHz 11a ht/40+) bssid 4c:5e:0c:11:65:38
    regdomain FCC country US anywhere ecm authmode WPA2/802.11i -wps -tsn
    privacy MIXED deftxkey 3
    TKIP 2:128-bit
    TKIP 3:128-bit powersavemode OFF powersavesleep 100 txpower 17
    txpowmax 50.0 -dotd rtsthreshold 2346 fragthreshold 2346 bmiss 7
    11a     ucast NONE    mgmt  6 Mb/s mcast  6 Mb/s maxretry 6
    11na    ucast NONE    mgmt  6 Mb/s mcast  6 Mb/s maxretry 6
    scanvalid 60 -bgscan bgscanintvl 300 bgscanidle 250
    roam:11a     rssi    7dBm rate 12 Mb/s
    roam:11na    rssi    7dBm  MCS  1
    -pureg protmode CTS ht htcompat ampdu ampdulimit 64k ampdudensity 8
    amsdu shortgi htprotmode RTSCTS -puren -smps -rifs stbc ldpc -vht
    -vht40 -vht80 -vht80p80 -vht160 wme burst -dwds -hidessid apbridge
    dtimperiod 1 doth -dfs inact bintval 100
    AC_BE cwmin  4 cwmax  6 aifs  3 txopLimit   0 -acm ack
          cwmin  4 cwmax 10 aifs  3 txopLimit   0 -acm
    AC_BK cwmin  4 cwmax 10 aifs  7 txopLimit   0 -acm ack
          cwmin  4 cwmax 10 aifs  7 txopLimit   0 -acm
    AC_VI cwmin  3 cwmax  4 aifs  1 txopLimit  94 -acm ack
          cwmin  3 cwmax  4 aifs  2 txopLimit  94 -acm
    AC_VO cwmin  2 cwmax  3 aifs  1 txopLimit  47 -acm ack
          cwmin  2 cwmax  3 aifs  2 txopLimit  47 -acm
    media: IEEE 802.11 Wireless Ethernet autoselect mode 11na <hostap>
    status: running

 

[tOsYZYny]

Phishfry what wifi adapter are you using and what are your speeds? I can see you're using the Atheros driver.

It also appears that you're bridging the wired and wireless networks, correct?

 

[Phishfry]

Yes I am bridging all my interfaces. I run OPNSense box behind my cable modem and my APU2 WAP is located in a more convenient location. I used to use dnsmasq with many subnets but on my most recent NanoBSD build I decided to try out bridging.
My APU2 WAP is built with NanoBSD scripts for an appliance like device.

root@APU2:~ # df -h
Filesystem        Size    Used   Avail Capacity  Mounted on
/dev/mmcsd0s1a    220M    140M     63M    69%    /
devfs             1.0K    1.0K      0B   100%    /dev
/dev/md0           19M    2.3M     15M    14%    /etc
/dev/md1           19M    816K     16M     5%    /var

So as you can see my whole build is only 140 Megabytes. I spent much time slimming it down.
My Mikrotik wireless interface = https://mikrotik.com/product/R11e-5HnD

ath0@pci0:4:0:0:    class=0x028000 card=0xd01419b6 chip=0x0033168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR958x 802.11abgn Wireless Network Adapter'
    class      = network

 

[tOsYZYny]

Phishfry - That is awesome with the size - I would like to run on a smaller device with less power, my router is running @ about 40W! I am running an old workstation as a router, so for all the stuff I'm doing, my install comes in around 1.5GB. I do ad blocking, bad ip blocking via pf and some traffic shaping. I'd like to leverage suricata, argus, and dnstap more.

Back to the wifi, what sort of performance do you get with that chipset? It looks to be rated for g speeds (54Mbps). I would like to be able to install a PCI card and get 300Mbps + if at all possible.

 

[Phishfry]

I have built at least a dozen other WAP's from embedded devices. Mostly shelf sized boxes like NUC and Sophos firewalls.
There is nothing special about the Mikrotik module I am using. Many of my builds used plain old used Atheros modules from ebay.
AR5BXB112 and the half sized AR5BHB112 are both good devices. They are based on AR9380. I also use AR9280 devices.
I have seen problems with half sized AR928x like the AR9283 and AR9285. But the AR5BHB112 is half sized and works well.

I have not yet used the AR9462 as an WAP but I have some in use as clients. I have been meaning to build out a HP ProDesk600 with that module as an Access Point but retasked it as it is too beefy for an WAP. I have used P4 era 600Mhz Celeron with MiniPCI slot as the resources needed for a WAP are near nil.

CPU:  0.0% user,  0.0% nice,  0.0% system,  0.0% interrupt,  100% idle
Mem: 3608K Active, 10M Inact, 118M Wired, 19M Buf, 1719M Free
Swap:

  PID USERNAME    THR PRI NICE   SIZE    RES STATE    C   TIME    WCPU COMMAND
2362 root          1  20    0    13M  2656K CPU1     1   0:00   0.06% top
2355 root          1  20    0    20M  6496K select   2   0:00   0.01% sshd
  691 root          1  20    0    11M  1824K select   0   0:02   0.00% syslogd
  875 root          1  20    0    17M  4820K select   3   0:05   0.00% hostapd
  619 root          1  20    0    10M  1036K select   3   0:00   0.00% devd
  365 root          1  52    0    11M  1980K select   0   0:00   0.00% dhclient
  419 _dhcp         1  20    0    11M  2024K select   2   0:00   0.00% dhclient
  362 root          1  20    0    11M  1776K select   1   0:00   0.00% dhclient
2359 root          1  24    0    13M  2996K pause    0   0:00   0.00% csh
  847 root          1  20    0    19M  5600K select   3   0:00   0.00% sshd
  898 root          1  52    0    11M  1688K ttyin    2   0:00   0.00% getty

As for speeds that is something I do not harp on. I get 100 megabit max which matches my cable internet speed.
So I would say I average 8 megabytes/sec with peaks of 12 megabytes a second.

What I miss in speed I make up for in customization.
Want to add WPA3, no problem. Want to decrease re-keying encryption keying time. No problem.
Upgrading my WAP whenever I please. My WAP will never be EOL'ed.