Howto create a FreeBSD wireless router/access point

This is a howto for creating a wireless access point using a FreeBSD computer equipped with a wireless network interface.

Prerequisites

There are many (good and bad) reasons why you would want to build an access point using a Unix distribution. In my case, I did it for fun and for conducting experiments.

I used an old IBM laptop with a Netgear (Atheros shipset) wireless interface. The operating system is FreeBSD6.0 Release. It is important to make sure that the wireless interface works properly in your “to-be” FreeBSD powered access point. Throughout this manual, “wireless-if” refers to the wireless interface and “wired-if” refers to the wired interface. Now these are the steps.

Make the wireless card work in AP mode

Setup the interface

  ifconfig wireless-if up 
  ifconfig wireless-if ssid SOME-SSID channel 0 media DS/11Mbps
  ifconfig wireless-if mediaopt hostap up
  ifconfig wireless-if 10.254.239.1

configure the Kernel

  sysctl net.inet.ip.forwarding=1

If you want to use the access point as a bridge, you need to configure bridging as follows: 

  sysctl net.link.ether.bridge.enable=1
  sysctl net.link.ether.bridge.config="wireless-if wired-if"

When bridging is used, you don't need neither a DHCP server, nor DNS server nor NAT on your FreeBSD access point. If you don't setup bridging, then you must install and configure these services as explained in the following sections.

setup the rc.conf file

  gateway_enable="YES"

If your are configuring your access point as bridge, also add 

  kldload bridge

Setup a DNS server

named is a popular DNS server, it is installed by default in FBSD6. We need the DNS server to resolve domain names to IP addresses on behalf of the wireless clients in the wireless cell that our access point will be serving. For fun, we will also implement some DNS spoofing (DNS Spoofing is the art of making a DNS entry to point to an another IP than it would be supposed to point to). These are the steps:

Add the following in /etc/namedb/named.conf

  zone "com" {
    type master;
    file "master/com";
  };
 
  zone "239.254.10.in-addr.arpa" {
    type master;
    file "master/239.254.10.in-addr.arpa";
  };

This will create a zone ”.com”, which will allow us to spoof any ”.com” domain name in our wireless cell.

Create the file /etc/namedb/master/com

 
  $TTL    86400   ; 1day
 
  @               IN      SOA     10.254.239.1 someone.jaist.ac.jp. (
				    1              ; Serial
				    2000            ; Refresh
				    900             ; Retry
				    3600000         ; Expiry
				    86400           ; Minimum
			    )
	    IN      NS      10.254.239.1 
	    IN      A       10.254.239.1
    
  google    	               IN      A 	  10.254.239.1
  www.google    	       IN      A 	  10.254.239.1

This is the definition of the .com zone. We redirect google.com to a webserver running on the access point.

Run a DHCP server

The DHCP server will allocated IP addresses for clients connecting to our access point.

Download from www.isc.org, compile and install it

  $./configure
  $make 
  #make install

Create the file /etc/dhcpd.conf and add the following

  option domain-name "somedomain";
  option domain-name-servers 10.254.239.1; 
  ddns-update-style=none;
  default-lease-time 600;
  max-lease-time 7200;
  authoritative;
  log-facility local7;
  subnet 10.254.239.0 netmask 255.255.255.224 {
    range 10.254.239.10 10.254.239.20;
    option routers 10.254.239.1 ;
  }

Start the dhcpd server

  $dhcpd -d -cf /etc/dhcpd.conf

Routing and NAT setup

We need to setup NAT (Network Address Translation) in the AP so that clients can connect to the Internet. In order to implement NAT, the Kernel must be compiled with the “IPDIVERT” and “IPFIREWALL” options. 

  natd -interface wired-if
  natd_enable="YES"        # Enable NATD function
  natd_interface="wireless-if"    # interface name of public Internet NIC
  natd_flags="-m"          # -m = preserve port numbers if possible
  $kldload  ipfw
  ipfw 100 divert natd ip from any to any in via wired-if
  ipfw add 100 allow all from any to any

Startup Script

This script can be used to easily start the wireless access point after a reboot 

  #!/bin/sh
  ifconfig ath0 up 
  ifconfig ath0 ssid BONITA channel 0 media DS/11Mbps
  ifconfig ath0 mediaopt hostap up
  ifconfig ath0 10.254.239.1
  
  kldload bridge
  sysctl net.link.ether.bridge.enable=1
  sysctl net.link.ether.bridge.config="wireless-if wired-if"
  sysctl net.inet.ip.forwarding=1
  
  dhcpd -cf /etc/dhcpd.conf
  named
  
  kldload  ipfw
  ipfw 100 divert natd ip from any to any in via wired-if
  ipfw add 200 allow all from any to any
  
  natd -interface wired-if

More resources



Labels: , , , , Wireless Internet Security Performance RADIUS server