# Dual Band AP - FreeBSD 10.3 - Howto



## Joe_G (Jul 10, 2016)

For a long time, I wanted to have a FreeBSD dual band AP. I sort of wanted to take the easy way out, so I thought Google would be my friend and lead me to "easy" instructions. Not so. Even searching these forums, the FreeBSD Handbook and FAQ, I found nothing that provided all the pieces. I achieved my goal and would like to share my configuration here. I am by by no means an expert, so I welcome suggestion on improvements.

The router/AP consists of two Atheros dual band PCI-e, one PCI-e Realtek gigabit ethernet card and an onboard Atheros gigabit ethernet. The Realtek card is the WAN connection to the outside world, the on board Atheros NIC connects to an 8 port switch for wired connections (mainly printers). The two wireless interfaces are bridged with the wired LAN interface, network addresses are served on and NAT is done on the bridge interface. The SSID for the 2GHz band is "ICE_Van_2G" and the 5GHZ band "ICE_Van_5G" You'll want to change these!

Software used:

The router/AP is not DNS server. (No unbound or BIND)

The base system install of pf is used for the firewall and NAT.
The base system install of hostapd is used for WPA authentication.

net/isc-dhcp43-server is used for serving ipv4 addresses.
A few things I learned:

A lot of online documentation leads one to believe that a lot of the wireless interface configuration should be done in /etc/hostapd.conf. I found this to NOT be true. My /etc/hostapd.conf files are used solely for WPA configuration. 

As much configuration as possible should be done in /etc/rc.conf, especially wireless interface configuration.
If HT capability is necessary, it must be done via `ifconfig` in /etc/rc.conf, it cannot be configured in hostapd.conf
The documentation to automagically load up two instances of `hostapd` upon boot is non-existent. Examination of the /etc/rc.d/hostapd only revealed the "secret" of appending 'wlanX' to 'hostapd' to create /etc/hostapd-wlanX.conf
None of this is original work. I'm greatly indebted to those who contributed to the FreeBSD Handbook and FAQ, people who've posted on forums like this an websites like https://cooltrainer.org/

I use `ee` as my editor, if `vi`, `nano` or any other editor is used, please invoke that where `ee` is seen below.

So, let's get started:

The system's network hardware must be known:
`pciconf -lv`

```
re0@pci0:1:0:0:   class=0x020000 card=0x34687470 chip=0x816810ec rev=0x06 hdr=0x00
  vendor  = 'Realtek Semiconductor Co., Ltd.'
  device  = 'RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller'
  class  = network
  subclass  = ethernet
ath0@pci0:3:0:0:   class=0x028000 card=0x3a7e1186 chip=0x0030168c rev=0x01 hdr=0x00
  vendor  = 'Qualcomm Atheros'
  device  = 'AR93xx Wireless Network Adapter'
  class  = network
alc0@pci0:4:0:0:   class=0x020000 card=0xe0001458 chip=0x10831969 rev=0xc0 hdr=0x00
  vendor  = 'Qualcomm Atheros'
  device  = 'AR8151 v2.0 Gigabit Ethernet'
  class  = network
  subclass  = ethernet
ath1@pci0:5:0:0:   class=0x028000 card=0x30a4168c chip=0x002e168c rev=0x01 hdr=0x00
  vendor  = 'Qualcomm Atheros'
  device  = 'AR9287 Wireless Network Adapter (PCI-Express)'
  class  = network
```

re0 - PCI-e gigabit NIC
ath0 - PCI-e wireless card
alc0 - onboard gigbit NIC
ath1 - PCI-e wireless card

1) Install net/isc-dhcp43-server
`cd /usr/ports/net/isc-dhcp43-server`
`make rmconfig`
`make clean && make install clean`

2) Edit /boot/loader.conf
`echo 'if_bridge_load="YES"' >> /boot/loader.conf`
`echo 'bridgestp_load="YES"' >> /boot/loader.conf`

3) Edit /etc/rc.conf
Syntax here is available via the FreeBSD handbook. I suggest printing the iconfig() manual page, it's a great reference. Upon system reboot, the wlan0 ad wlan1 interfaces with be configured in AP mode and added to the bridge with alc0. The bridge will be assigned an IP address and the DHCP server and NAT will run on it.

`ee /etc/rc.conf`

```
hostname="Zaphod"

ipv6_activate_all_interfaces="YES"

ifconfig_alc0="up"

ifconfig_re0="DHCP -lro -tso"
ifconfig_re0_ipv6="inet6 accept_rtadv"
rtsold_enable="YES"

wlans_ath0="wlan0"
create_args_wlan0="wlanmode hostapd"
ifconfig_wlan0="up HOSTAP country US ssid ICE_Van_5G mode 11na channel 153:ht/40- indoor shortgi regdomain FCC3 wme dotd"

wlans_ath1="wlan1"
create_args_wlan1="wlanmode hostapd"
ifconfig_wlan1="up HOSTAP country US ssid ICE_Van_2G mode 11ng channel 11:ht/40- indoor shortgi regdomain FCC3 wme dotd"

cloned_interfaces="bridge0"
ifconfig_bridge0="inet 10.191.135.1/24 addm wlan0 addm wlan1 addm alc0 up"

defaultrouter="XXX.XXX.XXX.XXX"

dhcpd_enable="YES"
dhcpd_flags="-q"
dhcpd_conf="/usr/local/etc/dhcpd.conf"
dhcpd_ifaces="bridge0"

gateway_enable="YES"

pf_enable="YES"
pflog_enable="YES"
pflog_logfile="var/log/pflog"

sshd_enable="YES"
ntpd_enable="YES"
ntpd_flags="-g"
powerd_enable="YES"
devd_enable="YES"
microcode_update_enable="YES"

darkstat_enable="YES"
darkstat_interface="re0"
vnstat_enable="YES"
```

4) Edit /usr/local/etc/dhcpd.conf
Just delete what's in there already. Since I'm not running a DNS servers, I send 3 servers for the clients to use. I also ensure that my main computer "Cerberus" is always assigned the same address.
`ee /usr/local/etc/dhcpd.conf`

```
option domain-name-servers 209.244.0.3, 208.67.222.222, 156.154.70.1;
option subnet-mask 255.255.255.0;

default-lease-time 14400;
max-lease-time 86400;

subnet 10.191.135.0 netmask 255.255.255.0 {
  range 10.191.135.31 10.191.135.100;
  option routers 10.191.135.1;
}
  host Cerberus {
   fixed-address 10.191.135.2;
   hardware ethernet 00:24:d6:86:f5:da;
}
```

5) Edit /etc/dhclient.conf
I prepend my chosen DNS servers, so I'm not forced to use my ISP's.
`ee /etc/dhclient.conf`

```
interface "re0" {
   send host-name "Zaphod";
   prepend domain-name-servers 209.244.0.3, 208.67.222.222, 156.154.70.1;
   }
```

6) Create the /etc/hostapd-wlanX.conf files.

`ee /etc/hostapd-wlan0.conf`

```
interface=wlan0
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
wpa=2
wpa_passphrase=t0p!secret&PWD
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
```

`ee /etc/hostapd-wlan1.conf`

```
interface=wlan1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
wpa=2
wpa_passphrase=ultra_S3cr3t~pwd
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
```

7) Following the Chapter 8 of The FreeBSD Handbook on configuring a custom kernel, append the following lines to the end of the configuration file:

```
# Firewall
device pf
device pflog
device pfsync
options  ALTQ
options  ALTQ_CBQ  # Class Bases Queuing (CBQ)
options  ALTQ_RED  # Random Early Detection (RED)
options  ALTQ_RIO  # RED In/Out
options  ALTQ_HFSC  # Hierarchical Packet Scheduler (HFSC)
options  ALTQ_PRIQ  # Priority Queuing (PRIQ)
options  ALTQ_NOPCC  # Required for SMP build

# FAST IPsec Support
device  crypto
device     cryptodev
device      aesni
device  enc
```

8) Create / edit /etc/pf.conf
`ee /etc/pf.conf`

```
### pf.conf
## macros
# internal and external interfaces
int_if = "bridge0"
ext_if = "re0"

# Private networks, we are going to block incoming traffic from them
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

## options
set block-policy drop
set loginterface $ext_if
set skip on lo0

## scrub
scrub out log on $ext_if all random-id min-ttl 15 set-tos 0x1c fragment reassemble
scrub log on $ext_if all reassemble tcp fragment reassemble

scrub in on $ext_if all fragment reassemble

## nat/rdr
# NAT traffic from internal network to external network through external interface
nat on $ext_if inet from ! ($ext_if) to any -> ($ext_if)
# Pass HP DirectJet to correct printers
rdr pass on $ext_if inet proto tcp from any to port 9100 -> 10.191.135.16 port 9100
rdr pass on $ext_if inet proto tcp from any to port 9101 -> 10.191.135.15 port 9100
rdr pass on $ext_if inet proto tcp from any to port 9102 -> 10.191.135.14 port 9100

## filter rules
block in on $ext_if all
antispoof for $ext_if inet
block in quick on $ext_if proto tcp flags FUP/WEUAPRSF
block in quick on $ext_if proto tcp flags WEUAPRSF/WEUAPRSF
block in quick on $ext_if proto tcp flags SRAFU/WEUAPRSF
block in quick on $ext_if proto tcp flags /WEUAPRSF
block in quick on $ext_if proto tcp flags SR/SR
block in quick on $ext_if proto tcp flags SF/SF

# block incoming traffic from private networks on external interface
block in quick on $ext_if from $priv_nets to any

# allow access to ssh on external interface
pass in on $ext_if inet proto tcp from any to ($ext_if) port 22 flags S/SAFR keep state

# allow in ping replies
pass in inet proto icmp all icmp-type echoreq keep state

# allow all internal traffic
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

# allow all traffic out via external interface
pass out on $ext_if proto {tcp, udp, icmp } all modulate state flags S/SAFR
pass out on $ext_if inet6 proto { tcp, udp, icmp6 } all modulate state flags S/SAFR
```

9) Reboot and you're set to go.
`shutdown -r now`

10) Software I use for monitoring:
vnstat net/vnstat
bwm-ng net-mgmt/bwm-ng
nload net/nload
darkstat net-mgmt/darkstat


----------



## Phishfry (Jul 10, 2016)

I have done this myself.
I took a different approach and used a routed network instead of bridged to segregate traffic.
I also used dns/dnsmasq for the dhcp server.
Dual Mikrotik Atheros miniPCIe modules on a IEI SBC.


----------



## Joe_G (Jul 10, 2016)

Awesome! I've been looking at those Mikrotik cards, good to know you were successful.


----------



## Phishfry (Jul 10, 2016)

R11e-2HPnD and R11e-5HnD is what I used. I like the MMCX connectors.

I do remember having to use HT40 in the rc.conf interface setup like you show to get 80211N working.

I do not use the regulatory regime like you as it is really only needs to be set once. It is stored in the eeprom. You can read the modules current region with commands.


----------



## Joe_G (Jul 10, 2016)

Thanks for the model numbers. Always good to know they work before buying. There's a supplier close to me with retail service.


----------



## Phishfry (Jul 10, 2016)

I saw interrupt problems on an APU2C with those dual modules so it depends on your platform whether it works.. Just wanted throw that out there before you buy. Also make sure you increase your power budget as these draw a good amount.
Have you seen this desktop adapter which works for either wifi or cellular modules?


----------



## Joe_G (Jul 11, 2016)

You're more advanced than me! That APU2C board looks interesting. I'm actually using an old i7-2600K PC with 4GB of DDR3 and a 500W power supply, so I should be OK on power. A vendor called ISP Supplies has a retail shop in College Station, TX, not far from me. I'm going to get one of those adapters also. http://www.ispsupplies.com/supportcenter/?search=RB14++[\URL].


----------



## andrewm659 (Jul 18, 2016)

This is awesome! I'm actually trying to set this up on a Raspberry Pi  2 using FreeBSD 11-BETA1.  

Any tips?  

I'm using a Ralink RT2573.


----------



## aht0 (Jul 19, 2016)

Phishfry said:


> Have you seen this desktop adapter which works for either wifi or cellular modules?


I happen to own Mikrotik RB14EU.  I assume it's the one you mean. This has cellular support (4xSIM card slots and USB2 interface cable for it), RB14E seems to come without cellular capability.

Using  R11e-5HnD (Atheros AR9485) on it. With the latter, you can only use it on certain Mikrotik boards or for PC, in RB14E(U) adapter, it's PCB power leads are somewhat customized, you would not get even fraction of WLAN cards' full design power out of it, using "generic" PCIe-miniPCIe adapter.

Haven't really tested the cellular properly, I did put Ericsson F5521GW in my RB14EU (which is in my pfSense box) and this 3,5G wwan card seemed to be properly recognized and all cellular configuration options properly existing. I simply did not have the spare SIM card. I can't give you any guarantees though.


----------



## Joe_G (Jul 19, 2016)

The Ralink cards are usually well supported, especially an older one in the 2500 series,but check to ensure that it can act as an AP:
`ifconfig wlan0 list caps`

```
drivercaps=4f85ed01<STA,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,MBSS,WPA1,WPA2,BURST,WME,WDS,TXFRAG>
cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC>
htcaps=701ee<CHWIDTH40,SHORTGI20,SHORTGI40,TXSTBC>
```
Look for "HOSTAP" or "AP" in the drivercaps line. If you're intending to make a dual band AP, you'll need two cards. I don't know of any card that allows both radios to be used simultaneously.

Also, check which channels the card(s) support:
`ifconfig wlan0 list txpower`

```
Channel  1 : 2412 MHz 31.5 reg 27  Channel  64 : 5320 MHz 31.5 reg 20  
Channel  2 : 2417 MHz 31.5 reg 27  Channel 100 : 5500 MHz 31.5 reg 20  
Channel  3 : 2422 MHz 31.5 reg 27  Channel 104 : 5520 MHz 31.5 reg 20  
Channel  4 : 2427 MHz 31.5 reg 27  Channel 108 : 5540 MHz 31.5 reg 20  
Channel  5 : 2432 MHz 31.5 reg 27  Channel 112 : 5560 MHz 31.5 reg 20  
Channel  6 : 2437 MHz 31.5 reg 27  Channel 116 : 5580 MHz 31.5 reg 20  
Channel  7 : 2442 MHz 31.5 reg 27  Channel 120 : 5600 MHz 31.5 reg 20  
Channel  8 : 2447 MHz 31.5 reg 27  Channel 124 : 5620 MHz 31.5 reg 20  
Channel  9 : 2452 MHz 31.5 reg 27  Channel 128 : 5640 MHz 31.5 reg 20  
Channel  10 : 2457 MHz 31.5 reg 27  Channel 132 : 5660 MHz 31.5 reg 20  
Channel  11 : 2462 MHz 31.5 reg 27  Channel 136 : 5680 MHz 31.5 reg 20  
Channel  36 : 5180 MHz 31.5 reg 17  Channel 140 : 5700 MHz 31.5 reg 20  
Channel  40 : 5200 MHz 31.5 reg 17  Channel 149 : 5745 MHz 31.5 reg 30  
Channel  44 : 5220 MHz 31.5 reg 17  Channel 153 : 5765 MHz 31.5 reg 30  
Channel  48 : 5240 MHz 31.5 reg 17  Channel 157 : 5785 MHz 31.5 reg 30  
Channel  52 : 5260 MHz 31.5 reg 20  Channel 161 : 5805 MHz 31.5 reg 30  
Channel  56 : 5280 MHz 31.5 reg 20  Channel 165 : 5825 MHz 31.5 reg 30  
Channel  60 : 5300 MHz 31.5 reg 20
```


----------

