Building my own wireless point

I got interested in building my own wireless point after seeing some of the wireless firmware issues like this.  Besides, I've always been interested in embedded devices and FreeBSD.

So, the first step was a device.  I chose to use a Wandboard.  I'm a committer to Crochet-FreeBSD, so I built out the device support for Crochet-FreeBSD.  You can take a look here.

For the wireless interface I used an Cisco AE1000 wireless interface. The AE1000 uses the run driver.

Starting the wireless interface and scanning for wireless points looks like this

ifconfig wlan0 create wlandev run0
ifconfig wlan0 up scan

On this board I have two interfaces:

  • ffec0.  The wired interface
  • run0.  The Cisco USB wireless

ffec0 is configured to get an IP, gateway and DNS via DHCP, in /etc/rc.conf

ifconfig_ffec0="DHCP"

I had these design criteria.

  • I already have a DHCP server, so I didn't want to assign IP leases on the wireless point; I want to delegate to my existing DHCP server
  • I prefer to use WPA Personal for authentication
  • I'd like to install as little software as possible; this doesn't need to be complicated
  • It would be great to automatically firewall any IPs that fail to log in more than a couple times
  • A simple web administration interface would be very helpful

Of course, I'm not interesting in connecting to an existing wireless point, instead I want to be the wireless point.   I need only one piece of software installed to function as a wireless point; hostapd.  Fortunately hostapd is part of the base FreeBSD install.

There are a couple kernel features I needed, so I loaded them at boot time.  My /boot/loader.conf looks like:

console="comconsole"

#pf
pf_load="YES"
pflog_load="YES"
pfsync_load="YES"

#altq
alq_load="YES"

#wlan
wlan_wep_load="YES"
wlan_ccmp_load="YES"
wlan_tkip_load="YES"
wlan_acl_load="YES"
wlan_xauth_load="YES"

# run driver
if_run_load="YES"
runfw_load="YES"

# bridge
if_bridge_load="YES"
if_bridgestp_load="YES"

# set wandboard to use 1 cpu
hw.ncpu=1

These options give me various wlan capabilties, the pf devices, the bridge device, and altq.  I've also loaded the kernel module for the run driver.

The strategy I want to use for leveraging my existing DHCP server and existing network is to configure my wireless point as a transparent proxy. The bridge device provides me exactly what I want, by enabling me to bridge the ffec0 and run0 interfaces.

My /etc/rc.conf includes:

# hostname
hostname="wandboard"

# services
ntpdate_enable="YES"
sshd_enable="YES"
hostapd_enable="YES"

# pf
pf_enable="YES"
pf_rules="/etc/pf.conf"
pflog_enable="YES"
pflog_logfile="/var/log/pflog"

# lan
ifconfig_ffec0="DHCP"

# turn off sendmail
sendmail_submit_enable="NO"
sendmail_outbound_enable="NO"
sendmail_msp_queue_enable="NO"

# wireless
wlans_run0="wlan0"
create_args_wlan0="wlanmode hostap mode 11g"
ifconfig_wlan0="ssid snagglepuss11 channel 11"

# bridge
cloned_interfaces="bridge0"
ifconfig_bridge0="addm ffec0 addm wlan0 up"

This configuration sets up the lan interface on DHCP, the wifi interface as an 11g access point on channel 11, and then bridges the interface.  At this point, we have a working wifi interface.  However, it's not secured yet.

My /etc/hostapd.conf file, the configuration file for hostapd looks like this

interface=wlan0
logger_syslog=-1
logger_syslog_level=2
debug=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=snagglepuss1
wpa=1
wpa_passphrase=xxxx
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

It's pretty simple; I have WEP authentication on the interface wlan0, with the ssid khublacom1.

Finally, I decided to implement some simple packet filtering.  /etc/pf.conf looks like this:

# interfaces
lan_if="ffec0"
wifi_if="wlan0"

# options
set block-policy return
set optimization conservative

# normalization
scrub in all
scrub out all

# anti-spoof
antispoof for $lan_if inet

# pass on lo
set skip on lo

# default, deny everything
block in log all

# out is ok
pass out quick

# pass inet4 and inet6 traffic in on wifi and lan
pass in on $wifi_if inet
pass in on $wifi_if inet6
pass in on $lan_if inet
pass in on $lan_if inet6

# icmp all good
pass out inet proto icmp from any to any keep state
pass in quick inet proto icmp from any to any keep state

I allow all IP4 and IP6 traffic in on the wifi interface.

I don't have a web interface yet; I've had some trouble reliably compiling on the current builds of FreeBSD ARM.  However, I'm sure that'll be worked out shortly.

2 Responses to "Building my own wireless point"

  • beatgammit
    March 17, 2014 - 11:30 am Reply

    Awesome! I was just about to build one myself using a Beagle Bone Black and was wondering if this particular chipset would work before purchasing.

    Thanks for the blog post!

  • FreeBSD as a Wireless Access Point (WAP) | Andreas' Blog
    August 25, 2014 - 12:41 pm Reply

    […] Quick Wireless Setup On FreeBSD Howto create a FreeBSD wireless router/access point How To Set Up A FreeBSD Wireless Access Point My home firewall router with FreeBSD—A year retrospective Building my own wireless point […]

Leave a Reply