# Dnsmasq problem with freebsd 8.0



## wonslung (Nov 16, 2009)

I'm trying to get hostapd working in FreeBSD 8 rc3

I'm sure i'm doing something wrong.....anyways, i get this error

```
wlan0: IEEE 802.11 Fetching hardware channel/rate support not supported.
```


edit i've fixed this error but i'm still not able to get ip-addresses....

my driver is ral

I kept the ssid as pfsense because i was using pfsense as an access point before this....anyways, heres my config


```
hw_mode=g
interface=wlan0
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
#### IEEE 802.11 related config ####
ssid=pfsense
macaddr_acl=0
auth_algs=1
#### IEEE 802.1X related config ####
ieee8021x=
#### WPA/IEEE 802.11i config #####
wpa=2
wpa_passphrase=xxxxxxxxxxxxxxxxx
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
```
any help would be greatly appreciated.


----------



## wonslung (Nov 16, 2009)

actually, i'm thinking my problem is with dnsmasq

I'm able to connect but i'm not given an IP.

This is my dnsmasq config.  It works fine for the wired addresses.....

```
domain-needed
bogus-priv
#local=/localnet/
#interface=
# Or you can specify which interface _not_ to listen on
except-interface=em1
expand-hosts
domain=localnet.home
dhcp-range=em0,192.168.1.100,192.168.1.254,12h
dhcp-range=wlan0,192.168.2.100,192.168.2.254,12h
```


edit:

I'm almost positive it's something with dnsmasq.  I just set up the network without encryption at all and i STILL can't get ip addresses

I'm totally lost as to what i'm doing wrong.  I've tried setting up dnsmasq multiple ways....this is driving me somewhat nuts.


----------



## wonslung (Nov 16, 2009)

I solved this problem.  It's very odd.....it was a firewall issue but it didn't come to light the exact problem until i installed ics-dhcp-server.

For some reason, even with the firewall issue, that particular port was able to give out dhcp ip's while dnsmasq was not.  Once i was able to GET an ip, it was obvious that the firewall policy was bad.  Anyways, I got it working. 

on a side note, the new code for wireless in FreeBSD 8 is GREAT.


----------



## rbelk (Nov 17, 2009)

What did you have to change in your firewall rules? I'm just interested.


----------



## wonslung (Nov 18, 2009)

rbelk said:
			
		

> What did you have to change in your firewall rules? I'm just interested.



I'm not so good with pf rules yet...I just know that a very permissive ruleset works and the rules i had didn't.

I'm going to start from stratch with the rules when i have time and see what i can learn.

These are the rules which DONT work which i'd like to get working.


```
#------------------------------------------------------------------------
# macros
#------------------------------------------------------------------------
# interfaces
ext_if  = "em1"
int_if  = "em0"
wifi_if = "wlan0"
#protocol
icmp_types = "{ echoreq, unreach }"
#hosts
rtor = "192.168.1.18"
scp_j = "192.168.1.53"
Xbox360 = "192.168.1.22"
#ports
Xlive_tcp = "{ http, https, 3074 }"
Xlive_udp = "{ 88, 3074 }"
rtor_ports = "{http, https }"
#nets
lan_net = "{ 192.168.1.0/24, 192.168.2.0/24 }"
priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"
# config
#------------------------------------------------------------------------
# options
#------------------------------------------------------------------------
# config
set block-policy drop
set loginterface $ext_if
set skip on lo0
set optimization conservative
# scrub
#scrub all reassemble tcp no-df
#scrub in all fragment reassemble
scrub out all random-id

#------------------------------------------------------------------------
# redirection (and nat, too!)
#------------------------------------------------------------------------
# network address translation
#nat on egress from $Xbox360       to any tag EGRESS -> ($ext_if:0) static-port
nat on egress from (self)         to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on egress from $int_if:network to any tag EGRESS -> ($ext_if:0) port 1024:65535
nat on $ext_if from $Xbox360 to any -> ($ext_if:0) static-port
nat on $ext_if from $lan_net to any -> ($ext_if)
nat-anchor "ftp-proxy/*"
rdr-anchor "ftp-proxy/*"
rdr pass proto tcp from any to any port ftp -> 127.0.0.1 port 8021
rdr on $ext_if proto tcp from any to $ext_if port $rtor_ports -> $rtor
rdr on $ext_if proto tcp from any to $ext_if port 50022 -> $scp_j port ssh
rdr on $ext_if proto tcp from any to $ext_if port 10000:10040 -> $rtor
rdr on $int_if proto tcp from $lan_net to $ext_if port $rtor_ports -> $rtor
rdr on $ext_if inet proto udp from any to ($ext_if) port $Xlive_udp tag XBOX360 -> $Xbox360
rdr on $ext_if inet proto tcp from any to ($ext_if) port $Xlive_tcp tag XBOX360 -> $Xbox360
no nat on $int_if proto tcp from $int_if to $lan_net
nat on $int_if proto tcp from $lan_net to $rtor port $rtor_ports -> $int_if 
#------------------------------------------------------------------------
# firewall policy
#------------------------------------------------------------------------
# restrictive default rules
block log all
pass out keep state
anchor "ftp-proxy/*"
block drop in log on $ext_if from $priv_nets to any
block drop out log on $ext_if from any to $priv_nets
# anti spoofing
antispoof for { $int_if, $wifi_if, $ext_if }

pass log proto tcp from any to $rtor port $rtor_ports synproxy state
pass log proto tcp from any to $scp_j port ssh synproxy state
pass log proto tcp from any to $rtor port 10000:10040 synproxy state
pass in log on $ext_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass in log on $ext_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass out log on $int_if inet proto udp from any to $Xbox360 port $Xlive_udp keep state tagged XBOX360
pass out log on $int_if inet proto tcp from any to $Xbox360 port $Xlive_tcp flags S/SAFR synproxy state tagged XBOX360
pass in log on $int_if inet proto udp  from $Xbox360 to any port $Xlive_udp keep state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state
pass in log on $int_if inet proto tcp  from $Xbox360 to any port $Xlive_tcp flags S/SAFR synproxy state


pass inet proto icmp all icmp-type $icmp_types keep state
pass out on $ext_if inet proto udp from any to any port 33433 >< 33626 keep state

pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state

pass out on $ext_if proto tcp all modulate state flags S/SA
pass out on $ext_if proto { udp,icmp } all keep state
```

I'm thinking it's something in my pass rules.  Maybe i need to make something like pass in quick for the dhcp ports on the int_if

I'm really not great at pf rules yet so if anyone can see the problem let me know.
maybe adding 

```
pass in  from $lan_net to $lan_net keep state
pass out from $lan_net to $lan_net keep state
```
will fix it.

I'll try and report back


----------



## DutchDaemon (Nov 18, 2009)

Specifically for DHCP? This should be sufficiently safe.


```
pass quick on $int_if inet proto tcp from any port { 67, 68 } to any port { 67, 68 } keep state flags S/SA
pass quick on $int_if inet proto udp from any port { 67, 68 } to any port { 67, 68 } keep state
```


----------



## wonslung (Nov 18, 2009)

DutchDaemon said:
			
		

> Specifically for DHCP? This should be sufficiently safe.
> 
> 
> ```
> ...





why didn't 

```
pass in  on $int_if from $int_if:network to any keep state
pass out on $int_if from any to $int_if:network keep state
```

work?


----------



## DutchDaemon (Nov 18, 2009)

Because DHCP traffic doesn't originate from an IP address (you'd see 0.0.0.0 <--> 255.255.255.255 type broadcast traffic) -- it's there to *get* an IP address


----------



## wonslung (Nov 18, 2009)

DutchDaemon said:
			
		

> Because DHCP traffic doesn't originate from an IP address (you'd see 0.0.0.0 <--> 255.255.255.255 type broadcast traffic) -- it's there to *get* an IP address



yeah, that's makes sense i guess....


Thanks for the help.  Its working now.


----------

