Solved Subnet behind hostapd: naming conventions and naming for subnet

[sidetone]

I made a subnet on my LAN, which is of 10.0.x.x. The main part of my local LAN is of 192.168.x.x.

To make this subnet work for outside network services, I had to use bridge0. This is after setting up hostapd, and creating a route.

My localnet is for instance attlocal.net. What am I allowed to name my subnet according to conventions. I may not want to have it the same as my conventional naming address of the main part of my LAN. The hostname seems easy, but what about the replacement part for attlocal.net, which I want to be different? Can I name it anything like myhostname.disney.land? or is there a convention? It seems like this works from my computer.

In this case I want my ftp server only accessible from behind my computer. I have an alias under the 10.0.x.x addresses for my ftp server.

I read that I have to edit /etc/hosts to allow a name for a subnet named address. Then, how do I restart it, so it takes effect?

I have a wifi access point from behind my FreeBSD machine, now I also need a name for the ftp server address from behind this access point. I don't want the ftp server to be seen from the main part of my LAN, only seen and accessed from this hostapd access point behind my FreeBSD computer.

Another question is, by default does having hostapd on a wlan not allow ftp or any other access from outside of my FreeBSD machine, like from the main part of my localnet? As long as my bridge isn't set to a static route from the ftp alias, to the outside router?

This may be so, but I may have difficulty testing this set up.

I'll write some details of my setup, so far:
I have hostapd.conf set up according to the handbook for wlan0.

rc.conf

gateway_enable="YES"
static_routes="hostap2internet"
route_hostap2internet="-net 192.168.x.x/24 10.0.x.x/8"
# above 3 needed for devices behind my computer to connect & use internet
# don't know whether to add a route from the alias to the modem,
# as it may be required for it to work, however,
# I don't want access from beyond behind my FreeBSD machine for FTP
hostapd_enable="YES"
wlans_wificard0="wlan0"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 10.0.x.x/8 ssid ..."
ifconfig_wlan0_ipv6="inet6 accept_rtadv"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm wificard0 addm wlan0 up"
# two above needed for access of internet of devices connected to hostapd,
# and to connect to hostapd
ftpd_enable="YES"
ftpd_flags="-A -D -l"

Don't have a wpa_supplicant.conf file, as it's not needed, as I'm using a wired connection to the computer.

small update:
I've used service hostid restart, and this reset what I named the IP's behind my BSD machine, what what I edited in /etc/hosts. myhost.disney and myhost.disney.land seemed to both work. Running traceroute from the IP's or aliases, also confirmed that my subnet IP's matched the desired aliases.

ftp is working from my machine to these aliases, IP's, and localhost. A little more may be needed for me to get them to work from a device behind this computer.

 

[VladiBG]

You need to learn first some basic networking. You are mixing a lot of terms which are not correct.
Learn about Network ID, Subnets, Domain Names, Routing. Then return back here and read again your post to see what have you type.

 

[anguisette]

My localnet is for instance attlocal.net. What am I allowed to name my subnet according to conventions.

networks do not generally have names nowadays. you may name a network in /etc/networks, but basically nothing actually uses this, except perhaps netstat -i. most people do not bother.

I may not want to have it the same as my conventional naming address of the main part of my LAN. The hostname seems easy, but what about the replacement part for attlocal.net, which I want to be different? Can I name it anything like myhostname.disney.land? or is there a convention? It seems like this works from my computer.

it seems you are not trying to name your subnet, but rather trying to name a new domain which will be specific to this subnet. in that case, use a subdomain of a real domain, or if you don't have a real domain, you could use a subdomain of ".home.arpa" (RFC 8375).

I read that I have to edit /etc/hosts to allow a name for a subnet named address. Then, how do I restart it, so it takes effect?

you do not need to "restart" /etc/hosts. modifications are immediately visible to applications.

ifconfig_wlan0="inet 10.0.x.x/8 ssid ..."
ifconfig_wlan0_ipv6="inet6 accept_rtadv"
cloned_interfaces="bridge0"
ifconfig_bridge0="addm wificard0 addm wlan0 up"

this is wrong. IP addresses should be assigned to the bridge interface, not the bridge member interfaces. this will produce a warning in 15.0 and will probably be forbidden by default in 16.0.

 

[sidetone]

subdomain of ".home.arpa" (RFC 8375).

https://www.rfc-editor.org/rfc/rfc8375.html led me to find:

RFC 6762: Multicast DNS

.lan.
.private.
.internal.
.intranet.

There's also .corp. for corporate use.
.home. was replaced with the one you mentioned there, as stated in the RFC. For those reading, there are recommendations not to use .local..

What if I wanted to use lots of subnets, would they use .lan. or .private. with any second level domain (SLD)? For instance on the 172.16.x.x IP block. Or if there were an alias SLD each for 10.1.x.x, 10.2.x.x, 10.3.x.x and so on. This with, for example: a.lan., b.lan. c.lan.. I'm not sure if this is appropriate for the IP block used for link local.

Learn about Network ID, Subnets, Domain Names, Routing.

Thank you. I'm in a hurry, but I will look into these soon. I know a little bit about some of of these. Learning these will help. I'm not always good with terms, but I need to learn the correct terms when applicable and use them.


In my above set up, before getting responses, I've made some progress in understanding my network. Even though my device was behind my FreeBSD hostap, the IP address was still treated under the the modem lan of 192.x.x.x, instead of under the IP block of 10.x.x.x. My server was correctly placed under the 10.x.x.x IP block.

IP addresses should be assigned to the bridge interface, not the bridge member interfaces.

I need to still figure this out, and I believe what I came across aligns with this. I may need a separate interface for .lan. without internet, and one from behind .lan. which can use the internet. I may need a interface that allows both functions.

I want a subnet inaccessible from my modem, and only accessible from behind my FreeBSD hostapd. Also, as this is a bridge, which needs the IP address, I want it only accessible from behind the .lan. address.

Also, I may have made a hostapd configuration mistake in the past, as now I'm able to connect my device to the hostapd subnet, without requiring that to be bridged to my modem.

After naming conventions are finished being addressed, further set up will require me figuring this out alone or help by a new thread. They mostly are addressed, and there may be a bit left.

 

[SirDice]

What am I allowed to name my subnet according to conventions.

There is no convention. Your domain can have entries from any subnet, there's nothing in DNS that says all A (or AAAA) entries within a domain or subdomain have to be from a specific subnet range. Only your reverse (PTR) records have to be in the proper .in-addr.arpa. (or .ip6.arpa.) domain.

 

[sidetone]

There is no convention

For the TLD there is a convention as pointed out by the RFC's above. It says the name can leak out and conflict with a real TLD. It recommends to use reserved names for those TLD's for future proofing.

So, for the SLD (second level domain) and hostname, there must not be a convention. It seems that SLD and hostnames can be named almost anything.

Naming it .lan. instead of home.arpa. gives room for SLD naming, so I can label my subnets anything under them. A subnet behind my hostapd interface. This works for me for alias subnet naming.

 

[SirDice]

For the TLD there is a convention as pointed out by the RFC's above. It says the name can leak out and conflict with a real TLD. It recommends to use reserved names for those TLD's for future proofing.

Yes, but that's for your entire home network (or local company), there's no convention for using different (sub)domains for different subnets. I've set up DNS for my home lab eons ago and picked .home specifically because I was sure it wasn't a registered TLD. .local was a bad pick because I already noticed things like Avahi and ZeroConf (mDNS) used it as a TLD. This was 20 years before the RFC and several years before the addition of a bunch of new TLDs (like .xxx or .xyz).

Naming it .lan. instead of home.arpa. gives room for SLD naming

Nothing is stopping you from creating workstations.home.arpa., servers.home.arpa. and perhaps wireless.home.arpa. if you want to go that route. Your reverse 1.168.192.in-addr.arpa. will only have 192.168.1.0/24 addresses, and 0.0.10.in-addr.arpa. for 10.0.0.0/24 addresses or just chuck the whole 10/8 in a 10.in-addr.arpa..

 

[sidetone]

Yes, but that's for your entire home network (or local company), there's no convention for using different (sub)domains for different subnets.

I wanted a different NetworkID or TLD for the subnet behind my FreeBSD machine, than the one given to me behind my modem by my Internet provider. I didn't want the same TLD and SLD name from my Internet provider from behind my modem to the Internet as the same TLD and SLD for my subnets behind my FreeBSD machine.

I wanted a separation, including TLD naming, from those two or more different parts of my LAN. This information and RFC references may have been lacking in the forums before, unless I missed it, bc I wasn't good with terminology. .lan. has been used in examples throughout the Internet and on here, and this is a correct TLD naming convention. The RFC's verify that this is correct.

 

[anguisette]

What if I wanted to use lots of subnets, would they use .lan. or .private. with any second level domain (SLD)? For instance on the 172.16.x.x IP block. Or if there were an alias SLD each for 10.1.x.x, 10.2.x.x, 10.3.x.x and so on. This with, for example: a.lan., b.lan. c.lan.. I'm not sure if this is appropriate for the IP block used for link local.

as SirDice said, there's no particular need to do this. but if you want to, you can: you "own" the .lan domain, so you can do whatever you want with it.

personally i think this is a bad idea because it means you have to remember what IP network every service is on to access it via a DNS name, which rather defeats the point of having DNS in the first place.

i'm not sure what you mean by link local - what are you using link-local addresses for?

I need to still figure this out, and I believe what I came across aligns with this. I may need a separate interface for .lan. without internet, and one from behind .lan. which can use the internet. I may need a interface that allows both functions.

i'm finding it difficult to follow what you're trying to do here. perhaps you could provide a network diagram that shows what you want to achieve.

 

[sidetone]

Thought this was solved, but was unable to yet make a worded domain name for my network ID

i'm finding it difficult to follow what you're trying to do here. perhaps you could provide a network diagram that shows what you want to achieve.

• [ Modem IP address 192.168.255.255 domain name given by ISP, lan]
  • [ Could optionally have additional device connections wifi or wired ]
  • [ FreeBSD machine 10.255.255.255, separate lan - need to set worded domain name for this Network ID ]
    • [ FTP server only accessible behind this computer; on wifi access point ]
    • [ Wifi Internet access point for devices using BSD computer as gateway ]

- For FTP server to be inaccessible from 192.168.255.255 part of lan.
- For bridge on hostapd access point to hook up devices on wifi run by FreeBSD, and devices to access the Internet with FreeBSD as gateway, up to modem. Devices need to be on 10.0.x.x LAN
- This could be on two separate Network ID's (LANs) or on 1, but all behind FreeBSD machine.
- In short, to use FreeBSD machine, to keep certain devices and servers off limits beyond this machine.
- Don't want to chance that someone hooks directly into a separate router connected to ISP modem, and gains access to LAN, as has happened before. Ethernet wire was run between buildings, and someone who doesn't know anything let them hook into that router.
- Need secure wifi for devices and servers, behind BSD computer.

Thought that hosts took care of naming the domain name of Network ID's, but as its name is, it sets hostnames. Then, I can correctly name a host and domain name, disney.lan, and this would be proper. j/k

Thinking, that a local server may be needed to set the worded domain name to the LAN. Need to set domain name of LAN.

For instance to set 10.x.x.x to .lan., or to set 10.1.x.x to .a.lan.. These are separate from the host names.

 

[VladiBG]

Use PF firewall with NAT. Setup your own DNS and DHCP for the wlan and do not use bridge.

 

[sidetone]

For DNS, I've looked into dns/bind920, dns/maradns and
dns/nsd. As for Bind, it used to be in FreeBSD base, and Unbound replaced it for fewer purposes. Bind has a script which generates its own zone files. Though, Bind is heavy. Didn't find maradns as lightweight as its claimed to be. Decided on nsd: it seems lightweight, simpler and more secure.

Still have the PDF file of the last section of FreeBSD 6 Unleashed which has chapters that detail Bind, and DHCP. This last section was in PDF, and not in physical format.

The configuration file for nsd doesn't look too difficult, but looking at the sample file looks overwhelming. From that configuration file, the zone file location is set. The zone file has the namespace and DNS records. It comes with a doc file for users who are familiar with using Bind. For all of its docs and manpages: pkg info -l dns/nsd | less.

Based on https://nsd.docs.nlnetlabs.nl/en/latest/configuration.html, /usr/local/etc/nsd/nsd.conf:

server:
        server-count: 1
        username: bind
        logfile: "/var/log/nsd.log"
        pidfile: "/var/run/nsd/nsd.pid"

remote-control:

zone:
        name: lan
        zonefile: /usr/local/etc/nsd/lan.zone

nsd-checkconf /usr/local/etc/nsd/nsd.conf doesn't produce errors.

Running nsd-checkzone lan lan.zone on an empty file, shows it looks for DNS records. This will be the final challenge of setting up my DNS. I'll learn from this zone file example: https://nsd.docs.nlnetlabs.nl/en/latest/zonefile.html.

Also using nslookup(1) from dns/bind-tools to test the IP and domain names.

I missed this:

you may name a network in /etc/networks, but basically nothing actually uses this, except perhaps netstat -i. most people do not bother.

Zone files for Bind and nsd, both use RFC 1035. If I make progress on nsd's configuration, I'll post back later. I believe all I am lacking on is the zone file. Needs enough for it to be working and named for this to be marked solved.

 

[sidetone]

I'm not sure if I'll still need nsd or any DNS for this small scale purpose. Was struggling with the zone file. Finally got the name to the alias to work from /etc/hosts:

10.1.0.1     disney   disney.lan
10.1.0.2     world    world.lan

Now I'm wondering if DHCPd replaces bridge. It seems that was suggested. I'll try it. The bridge allowed my devices to access the Internet from behind my computer, however, it used the IP from the router, and not the one set from my BSD computer. But, I also set the IP address to the wrong interface before. It seems, these devices require DHCPd anyway.

 

[Phishfry]

Now I'm wondering if DHCPd replaces bridge. It seems that was suggested. I'll try it.

I thought there were two ways to network an Software Access Point..
Bridging and Routing.
DHCPd or similar are a different layer right?
I do all LAGG where ever possible now. So that is another approach.

Have you ruled out dns/dnsmasq? I am a fan.

Setup your own DNS and DHCP for the wlan and do not use bridge

On my wifi box APU2AP I have tried both ways with FreeBSD.

Bridge mode where upstream handles everything. Similar to OpenWRT dumb access point.

The other way using pf/NAT and a separate dnsmasq server. More control but harder to setup. Must make rules on my main firewall to traverse the subnets.

 

[sidetone]

I thought there were two ways to network an Software Access Point..
Bridging and Routing.
DHCPd or similar are a different layer right?
I do all LAGG where ever possible now. So that is another approach.

Have you ruled out dns/dnsmasq? I am a fan.

On my wifi box APU2AP I have tried both ways with FreeBSD.

Bridge mode where upstream handles everything. Similar to OpenWRT dumb access point.

The other way using pf/NAT and a separate dnsmasq server. More control but harder to setup. Must make rules on my main firewall to traverse the subnets.

I'm lost. A question on bridging. When you do bridging, does it give the device behind your BSD computer the IP address of the Network ID of behind the BSD box, or does it give it the IP address of the modem, that the BSD box uses to access the Internet?

It's said, I set the IP's to the wrong interface, that it should be set to the bridge, not to wlan. However, it worked to give it the IP address of my modem, and not the IP range of that behind my FreeBSD computer.

dnsmasq comes with too much. I'm looking for the simplest solution. That my devices will use the IP range of that of the computer, and not of the modem, but still access the Internet. Would a DNS forwarder, be all I need, and replace the need for a bridge?

If it can be done with a bridge, I'll do that. If it can be done with DHCPd, I'll do that. Idk about the dns forwarder dns/mosdns.

 

[Phishfry]

Normally I set a 'WAN' interface, whether that be cellular or wired and the bridge everything else. DHCP on the WAN. Static IP on the bridge, not members. Simply 'up' the member interfaces.
I seem to remember a quirk where Atheros needs MAC address fixed in rc.conf wifi radio settings to add interface to bridge along with the wired ethernet interfaces on APU1/2/3/4.

 

[sidetone]

IP addresses should be assigned to the bridge interface, not the bridge member interfaces. this will produce a warning in 15.0 and will probably be forbidden by default in 16.0.

I edited it in rc.conf, moving the IP argument from the wlan0 to the bridge0 line:

ifconfig_bridge0="inet 10.x.x.x/8 addm re0 addm wlan0 up"

It has to go at the beginning, or it won't work. It took a reboot for this and other settings to show up correctly on the bridge0 and wlan0 interfaces.

It appears, that the bridge makes it so, anything bridged uses the IP addresses issued by the modem, and not from behind the BSD computer. Because of this, it makes sense, that the IP is issued to the bridge.

To access servers behind my BSD machine, I'll either have to add a route, or use a DHCP program. This will be marked solved, as it's about subnet naming, subnet IP's and making that work. For my purposes, it will require more reading and maybe a new thread.