Posted by: jasonk2600 | December 7, 2009

FreeBSD Based Secure WiFi Access Point

Description

This document describes how to create a simple and secure wireless access point using the FreeBSD operating system.  This HowTo assumes that you already have a FreeBSD system up and running with one wired NIC and one wireless NIC.  The FreeBSD AP will utilize WPA security and will require any wireless clients to access the Internet through a proxy server.  The FreeBSD AP will also provide DHCP and DNS to the wireless clients.  No direct access to the LAN by a wireless client will be allowed.  For information on how to setup an open FreeBSD access point see the “FreeBSD Basic WiFi Access Point” HowTo.

Installation

The FreeBSD AP will provide DHCP, DNS, and Web proxy services to wireless clients.  The BIND DNS server is already provided as part of the FreeBSD base system, a DHCP server and Web proxy will have to be installed from the ports collection. NOTE: There is no need to change the default port configurations.

# cd /usr/ports/net/isc-dhcp31-server
# make install clean

  [ .... Lots of Output .... ]

# cd /usr/ports/www/squid31
# make install clean

  [ .... Lots of Output .... ]

 

Configuration

Start by configuring FreeBSD to use the wireless NIC as an access point.  This is done with the hostapd daemon that is included in the FreeBSD base system.  Modify /etc/hostapd.conf to reflect the following settings.  NOTE: Replace ath0 with the name of your wireless NIC, ssid=JKINFO with a SSID of your choice, and wpa_passphrase=password to a pre-shared password of your choice.

interface=ath0
driver=bsd
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
#### IEEE 802.11 related config ####
ssid=JKINFO
macaddr_acl=0
auth_algs=1
#### IEEE 802.1X related config ####
ieee8021x=0
#### WPA/IEEE 802.11i config #####
wpa=1
wpa_passphrase=password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

 

Next, configure the DHCP server.  In the example below, the DHCP server will only answer requests received by the wireless NIC, which is ath0 with an IP address of 10.0.2.1.  The address pool used will be 10.0.2.100 through 10.0.2.200.  Modify /usr/local/etc/dhcpd.conf to reflect the following settings.  NOTE:  Change the network settings to match your own, in this example the LAN network is 10.0.1.0/24 and the wireless LAN network is 10.0.2.0/24.

ddns-update-style none;
always-broadcast on;
default-lease-time 7200;
max-lease-time 7200;
authoritative;
option domain-name-servers 10.0.2.1;
option domain-name "WiFi.JasonK.info";
option netbios-name-servers 10.0.2.1;

subnet 10.0.2.0 netmask 255.255.255.0 {
        range 10.0.2.100 10.0.2.199;
        option broadcast-address 10.0.2.255;
        option subnet-mask 255.255.255.0;
        option routers 10.0.2.1;
}

 

Next, configure the Squid proxy server and initialize the cache directory.  The default Squid configuration file will be enough to get things up and running.  Read through /usr/local/etc/squid/squid.conf for information on how to configure the proxy server to further suit your organization’s needs.

# cd /usr/local/etc/squid
# cp squid.conf.default squid.conf
# echo 'squid_enable="YES"' >> /etc/rc.conf
# squid -z

 

Next, configure the BIND DNS server.  Most of the default BIND configuration will fit the needs of the access point.  Modify the /etc/namedb/named.conf file and change the listen-on setting to the IP address of the wireless NIC and modify the forwarders setting to the IP address of your wired LAN’s DNS server(s).

listen-on { 10.0.2.1; };
forwarders { 68.87.85.102; };

 

Finally, configure all of the services to automatically start at system boot by modifying /etc/rc.conf to reflect the following settings.  NOTE: Change ath0 to the name of your wireless NIC, change 10.0.2.1 to the IP address you want the AP to use, and change JKINFO to the SSID that you want to name the access point.

ifconfig_ath0="inet 10.0.2.1  netmask 255.255.255.0
   ssid JKINFO mediaopt hostap"
hostapd_enable=YES
named_enable=YES
dhcpd_enable=YES
squid_enable=YES

 

Reboot the FreeBSD AP and test the new settings.

 

Testing

To test the settings try to connect to your FreeBSD AP with a wireless client.  You should see your new AP with the SSID that you chose earlier.  Be sure to configure the wireless client to automatically obtain an IP address and DNS server.  Furthermore, configure the client’s Web browser to use a proxy server with the IP address of the FreeBSD access point on port 3128.  You should now be able to browse the Web from the wireless client.

 

Troubleshooting

Obviously there are many pieces and places where things can go wrong.  The first step is to check the log files for any error messages.  Should you need anymore help troubleshooting, drop me a note at JasonK@JasonK.info and I’ll do my best to help out.

 

  [EoF]
Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Categories

%d bloggers like this: