For our first wireless network, it makes sense to use the basic gateway configuration from the previous chapter as our starting point. In your network design, it is likely that the wireless network is not directly attached to the Internet at large, but the wireless network will require a gateway of some sort. For that reason, it makes sense to reuse the working gateway setup for this wireless access point, with some minor modifications introduced over the next few paragraphs. After all, doing so is more convenient than starting a new configuration from scratch.
Note
We are in infrastructure-building mode here, and will be setting up the access point first. If you prefer to look at the client setup first, see The Client Side in The Client Side.
The first step is to make sure you have a supported card and check that the driver loads and initializes the card properly. The boot-time system messages scroll by on the console, but they are also recorded in the file /var/run/dmesg.boot. You can view the file itself or use the dmesg command to see these messages. With a successfully configured PCI card, you should see something like this:
ral0 at pci1 dev 10 function 0 "Ralink RT2561S" rev 0x00: apic 2 int 11 (irq 11), address 00:25:9c:72:cf:60 ral0: MAC/BBP RT2561C, RF RT2527
If the interface you want to configure is a hot-pluggable type, such as a USB or PC Card device, you can see the kernel messages by viewing the /var/log/messages file; for example, by running tail -f on the file before you plug in the device.
Next, you need to configure the interface, first to enable the link, and finally to configure the system for TCP/IP. You can do this from the command line, like this:
$sudo ifconfig ral0 up mediaopt hostap mode 11g chan1 nwid unwiredbsd nwkey 0x1deadbeef9
This command does several things at once. It configures the ral0 interface, enables the interface with the up parameter, and specifies that the interface is an access point for a wireless network with mediaopt hostap. Then it explicitly sets the operating mode to 11g and the channel to 11. Finally, it uses the nwid parameter to set the network name to unwiredbsd, with the WEP key (nwkey) set to the hexadecimal string 0x1deadbeef9.
Use ifconfig to check that the command successfully configured the interface:
$ ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:25:9c:72:cf:60
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid unwiredbsd chan 1 bssid 00:25:9c:72:cf:60 nwkey
<not displayed> 100dBm
inet6 fe80::225:9cff:fe72:cf60%ral0 prefixlen 64 scopeid 0x2Note the contents of the media and ieee80211 lines. The information displayed here should match what you entered on the ifconfig command line.
With the link part of your wireless network operational, you can assign an IP address to the interface:
$ sudo ifconfig ral0 10.50.90.1On OpenBSD, you can combine both steps into one by creating a /etc/hostname.ral0 file roughly like this:
up mediaopt hostap mode 11g chan 1 nwid unwiredbsd nwkey 0x1deadbeef9 inet 10.50.90.1
Then run sh /etc/netstart ral0 (as root), or wait patiently for your next boot to complete.
Notice that the preceding configuration is divided over two lines. The first line generates an ifconfig command that sets up the interface with the correct parameters for the physical wireless network. The second line generates the command that sets the IP address after the first command completes. Because this is our access point, we set the channel explicitly, and we enable weak WEP encryption by setting the nwkey parameter.
On NetBSD, you can normally combine all of these parameters in one rc.conf setting:
ifconfig_ral0="mediaopt hostap mode 11g chan 1 nwid unwiredbsd nwkey 0x1deadbeef inet 10.50.90.1"
FreeBSD 8 and newer take a slightly different approach, tying wireless network devices to the unified wlan(4) driver. Depending on your kernel configuration, you may need to add the relevant module load lines to /boot/loader.conf. On one of my test systems, /boot/loader.conf looks like this:
if_rum_load="YES" wlan_scan_ap_load="YES" wlan_scan_sta_load="YES" wlan_wep_load="YES" wlan_ccmp_load="YES" wlan_tkip_load="YES"
With the relevant modules loaded, setup is a multicommand affair, best handled by a start_if.if file for your wireless network. Here is an example of an /etc/start_if.rum0 file for a WEP access point on FreeBSD 8:
wlans_rum0="wlan0" create_args_wlan0="wlandev rum0 wlanmode hostap" ifconfig_wlan0="inet 10.50.90.1 netmask 255.255.255.0 ssid unwiredbsd wepmode on wepkey 0x1deadbeef9 mode 11g"
After a successful configuration, your ifconfig output should show both the physical interface and the wlan interface up and running:
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:24:1d:9a:bf:67
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:24:1d:9a:bf:67
inet 10.50.90.1 netmask 0xffffff00 broadcast 10.50.90.255
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
ssid unwiredbsd channel 6 (2437 Mhz 11g) bssid 00:24:1d:9a:bf:67
country US authmode OPEN privacy ON deftxkey UNDEF wepkey 1:40-bit
txpower 0 scanvalid 60 protmode CTS dtimperiod 1 -dfsThe line status: running means that you are up and running, at least on the link level.
Note
Be sure to check the most up-to-date ifconfig man page for other options that may be more appropriate for your configuration.
WPA support was introduced in OpenBSD 4.4, with extensions to most wireless network drivers and a new utility called wpa-psk(8) to handle WPA keying operations.
Note
There may still be wireless network drivers that do not have WPA support, so check the driver’s man page to see if WPA is supported before you try to configure your network to use it. You can combine 802.1x key management with an external authentication server for “enterprise” mode, but we will stick to the simpler preshared key setup for our purposes.
The procedure for setting up an access point with WPA is quite similar to the one we followed for WEP. To generate a shared WPA key, you need to run the wpa-psk utility. If we reuse the WEP key from the earlier examples as the cleartext for our WPA passphrase, we could generate our key like this:
$ wpa-psk unwiredbsd 0x1deadbeef9
0x31db31f2291f1ddf3ded3ca463a7dd5c0cd77a814f1d8e6c64990bfcb287b202You could copy this value into the ifconfig command or hostname.if file, or make ifconfig read the output of the wpa-psk call directly. Putting the cleartext into the configuration file will also make it slightly more readable. For a WPA setup with a preshared key (sometimes referred to as a network password), you would typically write a hostname.if file like this:
up media autoselect mediaopt hostap mode 11g chan 1 nwid unwiredbsd
wpa wpapsk `wpa-psk unwiredbsd 0x1deadbeef9`
inet 10.50.90.1If you are already running the WEP setup described earlier, disable those settings with the following:
$ sudo ifconfig ral0 -nwid -nwkeyThen enable the new settings with this command:
$ sudo sh /etc/netstart ral0You can then check that the access point is up and running with ifconfig:
$ ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:25:9c:72:cf:60
priority: 4
groups: wlan
media: IEEE802.11 autoselect mode 11g hostap
status: active
ieee80211: nwid unwiredbsd chan 1 bssid 00:25:9c:72:cf:60 wpapsk
<not displayed> wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,
ccmp wpagroupcipher tkip 100dBm
inet6 fe80::225:9cff:fe72:cf60%ral0 prefixlen 64 scopeid 0x2
inet 10.50.90.1 netmask 0xff000000 broadcast 10.255.255.255Note the status: active indication and that the WPA options we did not set explicitly are shown with their sensible default values.
Moving from the WEP access point we configured earlier to a somewhat safer WPA setup is rather straightforward. WPA support on FreeBSD comes in the form of hostapd (a program that is somewhat similar to OpenBSD’s hostapd but not identical). We start by editing the /etc/start_if.rum0 file to remove the authentication information. The edited file should look something like this:
wlans_rum0="wlan0" create_args_wlan0="wlandev rum0 wlanmode hostap" ifconfig_wlan0="inet 10.50.90.1 netmask 255.255.255.0 ssid unwiredbsd mode 11g"
Next, we add the enable line for hostapd in /etc/rc.conf:
hostapd_enable="YES"
And finally, hostapd will need some configuration of its own, in /etc/hostapd.conf:
interface=wlan0 debug=1 ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=unwiredbsd wpa=1 wpa_passphrase=0x1deadbeef9 wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP
Here, the interface specification is rather self-explanatory, while the debug value is set to produce minimal messages. The range is 0 through 4, where 0 is no debug messages at all. You should not need to change the ctrl_interface* settings unless you are developing hostapd. The first of the next five lines sets the network identifier. The subsequent lines enable WPA and set the passphrase. The final two lines specify accepted key-management algorithms and encryption schemes. (For the finer details and updates, see the hostapd(8) and hostapd.conf(5) man pages.)
After a successful configuration (running sudo /etc/rc.d/hostapd forcestart comes to mind), ifconfig should produce output about the two interfaces similar to this:
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:24:1d:9a:bf:67
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:24:1d:9a:bf:67
inet 10.50.90.1 netmask 0xffffff00 broadcast 10.50.90.255
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
status: running
ssid unwiredbsd channel 6 (2437 Mhz 11g) bssid 00:24:1d:9a:bf:67
country US authmode WPA privacy MIXED deftxkey 2 TKIP 2:128-bit
txpower 0 scanvalid 60 protmode CTS dtimperiod 1 -dfsThe line status: running means that you are up and running, at least on the link level.
With the interfaces configured, it’s time to start configuring the access point as a packet-filtering gateway. You can start by copying the basic gateway setup from Chapter 3. Enable gatewaying via the appropriate entries in the access point’s sysctl.conf or rc.conf file, and then copy across the pf.conf file. Depending on the parts of the previous chapter that were most useful to you, the pf.conf file may look something like this:
ext_if = "re0" # macro for external interface - use tun0 or pppoe0 for PPPoE
int_if = "re1" # macro for internal interface
localnet = $int_if:network
client_out = "{ ssh, domain, pop3, auth, nntp, http,
https, cvspserver, 2628, 5999, 8000, 8080 }"
udp_services = "{ domain, ntp }"
icmp_types = "{ echoreq, unreach }"
# ext_if IP address could be dynamic, hence ($ext_if)
match out on $ext_if from $localnet nat-to ($ext_if)
block all
pass quick inet proto { tcp, udp } from $localnet to port $udp_services
pass log inet proto icmp icmp-type $icmp_types
pass inet proto tcp from $localnet port $client_outIf you are running a PF version equal to OpenBSD 4.6 or earlier, the match rule with nat-to instead becomes this:
nat on $ext_if from $localnet to any -> ($ext_if)
The only difference that is strictly necessary for your access point to work is to change the definition of int_if to match the wireless interface. In our example, this means the line should now read as follows:
int_if = "ral0" # macro for internal interface
More than likely, you will also want to set up dhcpd to serve addresses and other relevant network information to clients after they have associated with your access point. Setting up dhcpd is fairly straightforward if you read the man pages.
That’s all there is to it. This configuration gives you a functional BSD access point, with at least token security (actually more like a Keep Out! sign) via WEP encryption, or a slightly more robust link-level encryption with WPA. If you need to support FTP, copy the ftp-proxy configuration from the machine you set up in Chapter 3 and make changes similar to those you made for the rest of the rule set.
If your network design dictates that your access point is also the gateway for a wired local network, or even several wireless networks, you need to make some minor changes to your rule set. Instead of just changing the value of the int_if macro, you might want to add another (descriptive) definition for the wireless interface, such as the following:
air_if = "ral0"
Your wireless interfaces are likely to be on separate subnets, so it might be useful to have a separate rule for each of them to handle the NAT configuration. Here’s an example for OpenBSD 4.7 and newer systems:
match out on $ext_if from $air_if:network nat-to ($ext_if)
And here’s one on pre-OpenBSD 4.7 PF versions:
nat on $ext_if from $air_if:network to any -> ($ext_if) static-port
Depending on your policy, you might also want to adjust your localnet definition, or at least include $air_if in your pass rules where appropriate. And once again, if you need to support FTP, a separate pass with redirection for the wireless network to ftp-proxy may be in order.
You can set up virtual private networks (VPNs), using built-in IPsec tools, OpenSSH, or other tools. However, with the relatively poor security profile of wireless networks in general, you are likely to want to set up some additional security.
The options fall roughly into three categories:
- SSH
If your VPN is based on SSH tunnels, the baseline rule set already contains all the filtering you need. Your tunneled traffic will be indistinguishable from other SSH traffic to the packet filter.
- IPsec with UDP key exchange (IKE/ISAKMP)
Several IPsec variants depend critically on key exchange via
proto udp port 500and useproto udp port 4500for NAT Traversal (NAT-T). You need to let this traffic through in order to let the flows become established. Almost all implementations also depend critically on letting ESP protocol traffic (protocol number 50) pass between the hosts with the following:pass proto esp from $source to $target
- Filtering on IPsec encapsulation interfaces
With a properly configured IPsec setup, you can set up PF to filter on the encapsulation interface
enc0itself with the following:[22]pass on enc0 proto ipencap from $source to $target keep state (if-bound)
See Appendix A for references to some of the more useful literature on the subject.
As long as you have BSD clients, setup is extremely easy. The steps involved in connecting a BSD machine to a wireless network are quite similar to the ones we just went through to set up a wireless access point. On OpenBSD, the configuration centers on the hostname.if file for the wireless interface. On FreeBSD, the configuration centers on rc.conf, but will most likely involve a few other files, depending on your exact configuration.
Starting with the OpenBSD case, in order to connect to the WEP access point we just configured, your OpenBSD clients need a hostname.if (for example, /etc/hostname.ral0) configuration file with these lines:
up media autoselect mode 11g chan 1 nwid unwiredbsd nwkey 0x1deadbeef9 dhcp
The first line sets the link-level parameters in more detail than usually required. Only up and the nwid and nwkey parameters are strictly necessary. In almost all cases, the driver will associate with the access point on the appropriate channel and in the best available mode. The second line calls for a DHCP configuration, and in practice, causes the system to run a dhclient command to retrieve TCP/IP configuration information.
If you chose to go with the WPA configuration, the file will look like this instead:
up media autoselect mode 11g chan 1 nwid unwiredbsd wpa wpapsk `wpa-psk unwiredbsd 0x1deadbeef9` dhcp
Again, the first line sets the link-level parameters, where the crucial ones are the network selection and encryption parameters nwid, wpa, and wpapsk. You can try omitting the mode and chan parameters; in almost all cases, the driver will associate with the access point on the appropriate channel and in the best available mode.
If you want to try out the configuration commands from the command line before committing the configuration to your /etc/hostname.if file, the command to set up a client for the WEP network is as follows:
$ sudo ifconfig ral0 up mode 11b chan 1 nwid unwiredbsd nwkey 0x1deadbeef9The ifconfig command should complete without any output. You can then use ifconfig to check that the interface was successfully configured. The output should look something like this:
$ ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:25:9c:72:cf:60
priority: 4
groups: wlan
media: IEEE802.11 autoselect (OFDM54 mode 11g)
status: active
ieee80211: nwid unwiredbsd chan 1 bssid 00:25:9c:72:cf:60 nwkey
<not displayed> 100dBm
inet6 fe80::225:9cff:fe72:cf60%ral0 prefixlen 64 scopeid 0x2Note that the ieee80211 line displays the network name and channel, along with a few other parameters. The information displayed here should match what you entered on the ifconfig command line.
Here is the command to configure your OpenBSD client to connect to the WPA network:
$ sudo ifconfig ral0 nwid unwiredbsd wpa wpapsk `wpa-psk unwiredbsd 0x1deadbeef9`The command should complete without any output. If you use ifconfig again to check the interface status, the output will look something like this:
$ ifconfig ral0
ral0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:25:9c:72:cf:60
priority: 4
groups: wlan
media: IEEE802.11 autoselect (OFDM54 mode 11g)
status: active
ieee80211: nwid unwiredbsd chan 1 bssid 00:25:9c:72:cf:60 wpapsk
<not displayed> wpaprotos wpa1,wpa2 wpaakms psk wpaciphers tkip,
ccmp wpagroupcipher tkip 100dBm
inet6 fe80::225:9cff:fe72:cf60%ral0 prefixlen 64 scopeid 0x2Check that the ieee80211: line displays the correct network name and sensible WPA parameters.
Once you are satisfied that the interface is configured at the link level, use the dhclient command to configure the interface for TCP/IP, like this:
$ sudo dhclient ral0The dhclient command should print a summary of its dialogue with the DHCP server that looks something like this:
DHCPREQUEST on ral0 to 255.255.255.255 port 67 DHCPREQUEST on ral0 to 255.255.255.255 port 67 DHCPACK from 10.50.90.1 (00:25:9c:72:cf:60) bound to 10.50.90.11 -- renewal in 1800 seconds.
On FreeBSD, you may need to do a bit more work than is necessary with OpenBSD. Depending on your kernel configuration, you may need to add the relevant module load lines to /boot/loader.conf. On one of my test systems, /boot/loader.conf looks like this:
if_rum_load="YES" wlan_scan_ap_load="YES" wlan_scan_sta_load="YES" wlan_wep_load="YES" wlan_ccmp_load="YES" wlan_tkip_load="YES"
With the relevant modules loaded, you can join the WEP network we configured earlier by issuing the following command:
$sudo ifconfig wlan create wlandev rum0 ssid unwiredbsd wepmode on wepkey 0x1deadbeef9 up
Then issue this command:
$ sudo dhclient wlan0For a more permanent configuration, create a start_if.rum0 file (replace rum0 with the name of the physical interface if it differs) with content like this:
wlans_rum0="wlan0" create_args_wlan0="wlandev rum0 ssid unwiredbsd wepmode on wepkey 0x1deadbeef9 up" ifconfig_wlan0="DHCP"
If you want to join the WPA network, you need to set up wpa_supplicant and change your network interface settings slightly. For the WPA access point, connect with the following configuration in your start_if.rum0 file:
wlans_rum0="wlan0" create_args_wlan0="wlandev rum0" ifconfig_wlan0="WPA"
You also need an /etc/wpa_supplicant.conf file that contains the following:
network={
ssid="unwiredbsd"
psk="0x1deadbeef9"
}Finally, add a second ifconfig_wlan0 line in rc.conf, to ensure that dhclient runs correctly.
ifconfig_wlan0="DHCP"
Other WPA networks may require additional options. After a successful configuration, the ifconfig output should display something like this:
rum0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 2290
ether 00:24:1d:9a:bf:67
media: IEEE 802.11 Wireless Ethernet autoselect mode 11g
status: associated
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
ether 00:24:1d:9a:bf:67
inet 10.50.90.16 netmask 0xffffff00 broadcast 10.50.90.255
media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
status: associated
ssid unwiredbsd channel 1 (2412 Mhz 11g) bssid 00:25:9c:72:cf:60
country US authmode WPA2/802.11i privacy ON deftxkey UNDEF
TKIP 2:128-bit txpower 0 bmiss 7 scanvalid 450 bgscan bgscanintvl 300
bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS roaming MANUAL[22] In OpenBSD 4.8 the encapsulation interface became a cloneable interface, and you can configure several separate enc interfaces. All enc interfaces become members of the enc interface group.