unixninja: FreeBSD Wireless Access Point

FreeBSD Wireless Access Point

Here's some details on how I setup my FreeBSD wireless access point with two Wireless LANs - one WEP and one WPA.

The access point is an Acer Aspire One D250 running FreeBSD 8 with an Atheros 5424 wireless NIC. FreeBSD 8.0-RELEASE supports the wireless NIC on the D250 (but you need FreeBSD 8-STABLE for the wireless NIC in the Acer Aspire One P531h).

I have two WLANs (Wireless LANs) running on the FreeBSD access point. One of the WLANs is WEP (Wired Equivilant Privacy) but the SSID (Service Set IDentifier) is not broadcast, so it does not show up when a device searches for wireless networks. The other WLAN is WPA-PSK (Wireless Protected Access Pre-Shared Key) with the SSID broadcast enabled.

I use the WPA WLAN for what I consider to be "dirty" systems. For example, a WinXP netbook or a Belkin Skype wireless phone. The WEP WLAN I use for my main FreeBSD Xorg netbook.

The firewall rules I've setup are quite different for the WPA versus the WEP WLAN. The WEP WLAN has no direct internet connectivity and no DHCP server - systems on the WEP network must use the proxy (squid) on the access point/firewall. The WPA WLAN allows all outgoing traffic (dirty, dirty, dirty).

Note that when using WPA for a FreeBSD client (my Xorg netbook), if the access point is rebooted, the wpa_supplicant process on the FreeBSD client must be restarted. With WEP, there is no wpa_supplicant and rebooting either the client system or access point causes no wireless re-connection problems.

Also, using the "hidessid" option with WPA breaks the WLAN - my FreeBSD client could not connect to a WPA network when it is not broadcasting its SSID.

Finally, enabling two WLANs on the same physical interface each with WEP cryptography breaks both WLANs. It seems the wireless network driver(s) get upset when there's two WEP WLANs on the same physical interface. I have not tested two WEP WLANs each with their own physical interface. My solution was to use one WEP and one WPA WLAN on the same physical interface (ath0).

So, my setup is...

WPA WLAN - SSID broadcast and DHCP enabled
WEP WLAN - SSID broadcast disabled, no DHCP (only static IP assignment)

Interface ath0 is the physical wireless NIC in the FreeBSD access point/firewall.

Here's the magic in /etc/rc.conf ...

ifconfig_ath0="up"

wlans_ath0="wlan0 wlan1"                # wlan(4) interfaces for ath0 device

# note that "hidessid" breaks WPA, so we use WEP.  WEP is also more reliable it seems.
create_args_wlan0="wlanmode ap bssid channel 6 media autoselect mode 11g ssid WEP_SSID_GOES_HERE wepmode on weptxkey 1 nwkey WEP_SHARED_KEY_GOES_HERE hidessid"

create_args_wlan1="wlanmode ap bssid ssid WPA_SSID_GOES_HERE"

ifconfig_wlan0="inet 10.0.0.1 netmask 255.255.255.240"
ifconfig_wlan0_alias0="inet 10.0.0.2 netmask 255.255.255.255"

ifconfig_wlan1="inet 10.0.1.1 netmask 255.255.255.240"

# enable the hostap daemon for WPA.
hostapd_enable="YES"            # Run hostap daemon.

You'll obviously have to change the IP addresses and subnet masks to match your setup.

The hostap daemon (hostapd) manages the WPA crypto. The /etc/hostapd.conf configuration file I used looks like...

interface=wlan1
debug=1
ssid=WPA_SSID_GUES_HERE
wpa=1
wpa_passphrase=WPA_PRE_SHARED_KEY_GOES_HERE
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

For DHCP, I use the ISC-DHCP daemon, which has a /usr/local/etc/dhcpd.conf configuration of...

subnet 10.0.1.0 netmask 255.255.255.240 {
        option subnet-mask 255.255.255.240;
        option domain-name "your.local.domain";
        option domain-name-servers 10.0.1.1;
        option routers 10.0.1.1;
        max-lease-time 3600;
        range 10.0.1.6 10.0.1.9;
}

That's 4 IPs available via DHCP. The access point/firewall is also my local DNS server.

To launch the dhcp daemon, in /usr/local/etc/rc.d I have a dhcpd.sh script...

#!/bin/sh

PIDF=/var/run/dhcpd.pid
NULL=/dev/null
INTF=wlan1                      # DHCP on interface wlan1

stop_dhcpd() \
{
if [ -f ${PIDF} ]; then
        PID=`cat $PIDF`
        ps -p ${PID} >$NULL 2>&1 && kill ${PID} 
        rm -f ${PIDF}
fi
}

case $1 in
        stop)   stop_dhcpd;;
        start)  stop_dhcpd && sleep 1
                /usr/local/sbin/dhcpd -pf ${PIDF} ${INTF}
                ;;
        *)      ;;
esac

# EOF

And that's it. It took many hours of testing to come to this simplified configuration. Enjoy.

Return to tips+howtos.