Posted by: jasonk2600 | December 7, 2009

FreeBSD Based Secure WiFi Access Point


This document describes how to create a simple and secure wireless access point using the FreeBSD operating system.  This HowTo assumes that you already have a FreeBSD system up and running with one wired NIC and one wireless NIC.  The FreeBSD AP will utilize WPA security and will require any wireless clients to access the Internet through a proxy server.  The FreeBSD AP will also provide DHCP and DNS to the wireless clients.  No direct access to the LAN by a wireless client will be allowed.  For information on how to setup an open FreeBSD access point see the “FreeBSD Basic WiFi Access Point” HowTo.


The FreeBSD AP will provide DHCP, DNS, and Web proxy services to wireless clients.  The BIND DNS server is already provided as part of the FreeBSD base system, a DHCP server and Web proxy will have to be installed from the ports collection. NOTE: There is no need to change the default port configurations.

# cd /usr/ports/net/isc-dhcp31-server
# make install clean

  [ .... Lots of Output .... ]

# cd /usr/ports/www/squid31
# make install clean

  [ .... Lots of Output .... ]



Start by configuring FreeBSD to use the wireless NIC as an access point.  This is done with the hostapd daemon that is included in the FreeBSD base system.  Modify /etc/hostapd.conf to reflect the following settings.  NOTE: Replace ath0 with the name of your wireless NIC, ssid=JKINFO with a SSID of your choice, and wpa_passphrase=password to a pre-shared password of your choice.

#### IEEE 802.11 related config ####
#### IEEE 802.1X related config ####
#### WPA/IEEE 802.11i config #####
wpa_pairwise=CCMP TKIP


Next, configure the DHCP server.  In the example below, the DHCP server will only answer requests received by the wireless NIC, which is ath0 with an IP address of  The address pool used will be through  Modify /usr/local/etc/dhcpd.conf to reflect the following settings.  NOTE:  Change the network settings to match your own, in this example the LAN network is and the wireless LAN network is

ddns-update-style none;
always-broadcast on;
default-lease-time 7200;
max-lease-time 7200;
option domain-name-servers;
option domain-name "";
option netbios-name-servers;

subnet netmask {
        option broadcast-address;
        option subnet-mask;
        option routers;


Next, configure the Squid proxy server and initialize the cache directory.  The default Squid configuration file will be enough to get things up and running.  Read through /usr/local/etc/squid/squid.conf for information on how to configure the proxy server to further suit your organization’s needs.

# cd /usr/local/etc/squid
# cp squid.conf.default squid.conf
# echo 'squid_enable="YES"' >> /etc/rc.conf
# squid -z


Next, configure the BIND DNS server.  Most of the default BIND configuration will fit the needs of the access point.  Modify the /etc/namedb/named.conf file and change the listen-on setting to the IP address of the wireless NIC and modify the forwarders setting to the IP address of your wired LAN’s DNS server(s).

listen-on {; };
forwarders {; };


Finally, configure all of the services to automatically start at system boot by modifying /etc/rc.conf to reflect the following settings.  NOTE: Change ath0 to the name of your wireless NIC, change to the IP address you want the AP to use, and change JKINFO to the SSID that you want to name the access point.

ifconfig_ath0="inet  netmask
   ssid JKINFO mediaopt hostap"


Reboot the FreeBSD AP and test the new settings.



To test the settings try to connect to your FreeBSD AP with a wireless client.  You should see your new AP with the SSID that you chose earlier.  Be sure to configure the wireless client to automatically obtain an IP address and DNS server.  Furthermore, configure the client’s Web browser to use a proxy server with the IP address of the FreeBSD access point on port 3128.  You should now be able to browse the Web from the wireless client.



Obviously there are many pieces and places where things can go wrong.  The first step is to check the log files for any error messages.  Should you need anymore help troubleshooting, drop me a note at and I’ll do my best to help out.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: