################################################################################# # Searchable Keywords: wireless filter brconfig mac pf 802.11 # ################################################################################# Updated: 5/4/12 * See the lines with a single * for these updates --------------------------------------------------------------------- ------- Build your own wireless access point using Openbsd ---------- ---------------------------------------------------------------------- Introduction: There are other papers that cover this information and with quite a bit more detail. I suggest you take some time to review as many of them as you can. I just thought there were some details missing that surrounded different types of chipsets and there configurabilty. You should be at least slightly familar with Openbsd and some of it's abilities and configuration. This how to is just to get you started. I just wanted o see if it could be done and what the potential was. Summary: - a machine loaded with Openbsd - enable ip.forwarding in /etc/sysctl.conf - enable pf filetering in /etc/rc.conf - the openbsd host must have at least 2 interfaces - one interface will be your wireless interface - IP the LAN facing interface - create a bridge interface on the bsd host * See below for update - add the two interfaces to the bridge interface - pass aproppoate IP traffic through the pf filter =============================================================================== WARNING ! Security: Wireless networking is tricky to secure. It is easy to enable WEP on your wireless access points' interface but there are other methods that can help lock down your access point that are more comprehensive. You should research these methods before putting any sensitive information on your wireless network. Methods of securing wireless networks under openbsd include but may not be limited to; WEP - resently I heard that WEP secured networks were considered "open networks" because of available tools that could crack WEP in less tha 60 secs(those tools will not be covered here). authpf - authpf is able to manipulate the pf rules based on user access IPsec - IP security is usually part of a VPN implementation and will encrypt data from one point to another. OpenVPN - SSL/TLS based user-space VPN ============================================================================== ------------------------------------------------------------------ --This paper was written with the following environment in mind.-- ------------------------------------------------------------------ This was written with wireless home networking in mind and not corporate networks. I am sure it could be scaled up but practicality, lack of current support for 802.11n, documentation and maintenance would over rule this approach. It's fun, it gives you more options in a home networking environment than consumer products not to mention you would not have to buy a consumer product if you( or your neighbor) had an old laptop or desktop laying around. LAN: primary and secondary DNS servers, DHCP server, fileservers and default router exist here. WLAN: Toshiba Portedge 7000CT laptop running Openbsd 4.3 serves as the hardware for the access point. The LAN side is connected through the phyical ethernet connection on the laptop. The WLAN is connected through a D-Link DWL-g650 PCMCIA card. DHCP requests coming from the WLAN are redirected via pf through the bridge interface on the AP to the LAN DHCP server. ================================================================================================== ------------------------------------------------------------------- ------ A word, but not the last word about wireless cards. -------- ------------------------------------------------------------------- I don't know where you shop for electronics but I found that some of these cards could be hard to find. Some, I know, are discontinued altogether. Prism2 cards seem to be the internet card of choice for openbsd access points. Drivers for those chipsets have been supported longer I suppose. The two that I could most frequently find were Atheros and Broadcom. It seemed to me that Broadcom was not as supportted as well as the Atheros chips. See this page for supported chipset/drivers on Openbsd: http://www.openbsd.org/faq/faq6.html#Wireless ........................................................................... Prism cards that support AP mode ........................................................................... D-Link DWL-630 D-Link DWL-650 ........................................................................... Mixed Prism, Atheros chipset and dual band PCMCIA and PCI cards. ........................................................................... Dual band cards Typical dual band means a/b/g) in the case of N it's g/n and most times b but I haven't tried dual band card yet or a N card. Dual band PCI cards Linksys wmp55ag ---- 5 stars Linksys wmp54G(is only b/g) --- 2stars Dual band card bus Netgear WAG511 v1 is Prism chip and v2 is Atheros a/b/g Belkin F6D3010 Atheros AR500X chip a/b/g D-Link DWL-AG660 Atheros AR5416 ---- DISCONTINUED Linksys wmp55ag - PCI dual band abg Linksys wmp54g - bg I chose a D-Link DWL-G650 card with Atheros chipset ............................................................................... ----------------------- |Openbsd configuration| ----------------------- ------- Forwarding and pf system files ------- IP forwarding is needed for routing purposes. Edit /etc/sysctl.conf net.inet.ip.forwarding=1 # 1=Permit forwarding (routing) of IPv4 packets Packet filtering. Edit /etc/rc.conf pf=YES # Packet filter / NAT ------------------------------------------------- | pf config files | ------------------------------------------------- Edit /etc/pf.conf # vi /etc/pf.conf # Bridge interface br_if="bridge0" # redirect DHCP requests to LAN side DHCP server(assumming you have one, if not run it on # your openbsd AP(thats not covered here, well, maybe later) rdr on $br_if proto { tcp,udp } from any to any port 68 -> rdr on $br_if proto { tcp,udp } from any to any port 67 -> # Final filter is on the default gateway. You could easily place restriction on the # wireless LAN by putting additional passing or blocking rules in here. pass in all pass out all # pass everything through loop back pass in quick on lo0 all pass out quick on lo0 all --------------------------------------------------------------------------------- -------------------------------------------- -------------- Interfaces ------------------ -------------------------------------------- --------------------------------------------------------------------------------------- Create bridge interface. * See below for update # ifconfig bridge0 create --------------------------------------------------------------------------------------- Create interface configuration file to bring up the LAN interface on boot up. Edit /etc/hostname.fxp0 (or what ever your interface is, xl0, rl0....) Note: this is the LAN facing interface to IP # vi /etc/hostname.fxp0 inet 192.168.20.222 255.255.255.0 NONE --------------------------------------------------------------------------------------- Create interface configuration file to bring up the WLAN interface on boot up. Edit /etc/hostname.ath0 (or what ever your interface is) Note: this is the WLAN facing interface that will !! NOT !! be IP'd in the case of the DWL-G650 Atheros driver ark5213 would NOT allow me to IP the interface. Ignore the error............ ar5k_ar5212_nic_wakeup: failed to resume the AR5212 (again) ath1: unable to reset hardware; hal status 3914612012 The interface actually comes up. # vi /etc/hostname.ath0 up media autoselect mediaopt hostap 11 chan 6 nwid nwkey This brings the interface up in host ap mode(mediaopt hostap 11 this defaults to 11b for my card) on channel 6. To see all the options for your card a handy command is ifconfig -m ath0(or what ever you card is). ## See security note above ## ------------------------------------------------------------------------------------------ Create interface configuration file to bring up the bridge interface on boot up. Edit /etc/bridgename.bridge0 * See below for update Note: this is the bridging interface that will NOT be IP'd # vi bridgename.bridge0 * See below for update add fxp0 add ath0 up The file bridgename.bridge0 calls brconfig for each line. The command line equalvilent is as follows. # brconfig bridge0 add fxp0 add ath0 up * See below for update -------------------------------------------------------------------------------------------- ----------------------------------------- | Final words | ----------------------------------------- There is alot more that can and should be done to secure this kind of connection. I hope to investigate those methods and if I have time or remember I will add the research to this page. See the security note at the top of this page. There is alot more that can be done with brconfig and options that can be used in bridgename.bridge0 file. Spanning tree cost, MAC filtering, vlan manipulation this I leave up to you. Now that several weeks have passed I have observed several things. - My openbsd AP has very little range. Basically, limited to the room the openbsd AP is in. I tried all sorts of gizmos to extend the range just short of cutting the wireless card open and soldering an extention to the antenna, but , to no avail. - Heat seems to play a factor on the stability of the wireless interface. I simply put a small fan over the laptop acting as my AP. A desktop machine may not have either of these problems Gary Keen March 2009, last updated May 29 2010 ======================================================================================================= Future How Tos may include, Poor mans cellphone two factor authentication, DHCP on Openbsd, MAC filtering QOS and traffic shaping using Openbsd. * Starting in what I guess is Openbsd 4.6 or 4.7. You no longer have to create the the bridge interface with "ifconfig bridge0 create". The interface /etc/hostname.bridge0 ( or what ever number ) will create the interface during a reboot( or possibly a network restart ). Also, if you didn't notice the name of the bridge file changed from bridgename.bridge0 to hostname.bridge0. The command brconfig is suppose to be what bridgename.bridge0 issued. On the OpenBSD 5 box I was working on I couldn't find the brconfig biniary. Based on these observations one could also use these same configurations for a bridge that would act as span port, port mirror, packet agregator. What ever you want to call it. Sounds like another How-To.