I got interested in building my own wireless point after seeing some of the wireless firmware issues like this. Besides, I've always been interested in embedded devices and FreeBSD.

So, the first step was a device. I chose to use a Wandboard. I'm a committer to Crochet-FreeBSD, so I built out the device support for Crochet-FreeBSD. You can take a look here.

For the wireless interface I used an Cisco AE1000 wireless interface. The AE1000 uses the run driver.

Starting the wireless interface and scanning for wireless points looks like this

ifconfig wlan0 create wlandev run0 ifconfig wlan0 up scan

On this board I have two interfaces:

ffec0. The wired interface

run0. The Cisco USB wireless

ffec0 is configured to get an IP, gateway and DNS via DHCP, in /etc/rc.conf

ifconfig_ffec0="DHCP"

I had these design criteria.

I already have a DHCP server, so I didn't want to assign IP leases on the wireless point; I want to delegate to my existing DHCP server

I prefer to use WPA Personal for authentication

I'd like to install as little software as possible; this doesn't need to be complicated

It would be great to automatically firewall any IPs that fail to log in more than a couple times

A simple web administration interface would be very helpful

Of course, I'm not interesting in connecting to an existing wireless point, instead I want to be the wireless point. I need only one piece of software installed to function as a wireless point; hostapd. Fortunately hostapd is part of the base FreeBSD install.

There are a couple kernel features I needed, so I loaded them at boot time. My /boot/loader.conf looks like:

console="comconsole" #pf pf_load="YES" pflog_load="YES" pfsync_load="YES" #altq alq_load="YES" #wlan wlan_wep_load="YES" wlan_ccmp_load="YES" wlan_tkip_load="YES" wlan_acl_load="YES" wlan_xauth_load="YES" # run driver if_run_load="YES" runfw_load="YES" # bridge if_bridge_load="YES" if_bridgestp_load="YES" # set wandboard to use 1 cpu hw.ncpu=1

These options give me various wlan capabilties, the pf devices, the bridge device, and altq. I've also loaded the kernel module for the run driver.

The strategy I want to use for leveraging my existing DHCP server and existing network is to configure my wireless point as a transparent proxy. The bridge device provides me exactly what I want, by enabling me to bridge the ffec0 and run0 interfaces.

My /etc/rc.conf includes:

# hostname hostname="wandboard" # services ntpdate_enable="YES" sshd_enable="YES" hostapd_enable="YES" # pf pf_enable="YES" pf_rules="/etc/pf.conf" pflog_enable="YES" pflog_logfile="/var/log/pflog" # lan ifconfig_ffec0="DHCP" # turn off sendmail sendmail_submit_enable="NO" sendmail_outbound_enable="NO" sendmail_msp_queue_enable="NO" # wireless wlans_run0="wlan0" create_args_wlan0="wlanmode hostap mode 11g" ifconfig_wlan0="ssid snagglepuss11 channel 11" # bridge cloned_interfaces="bridge0" ifconfig_bridge0="addm ffec0 addm wlan0 up"

This configuration sets up the lan interface on DHCP, the wifi interface as an 11g access point on channel 11, and then bridges the interface. At this point, we have a working wifi interface. However, it's not secured yet.

My /etc/hostapd.conf file, the configuration file for hostapd looks like this

interface=wlan0 logger_syslog=-1 logger_syslog_level=2 debug=1 ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=snagglepuss1 wpa=1 wpa_passphrase=xxxx wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP

It's pretty simple; I have WEP authentication on the interface wlan0, with the ssid khublacom1.

Finally, I decided to implement some simple packet filtering. /etc/pf.conf looks like this:

# interfaces lan_if="ffec0" wifi_if="wlan0" # options set block-policy return set optimization conservative # normalization scrub in all scrub out all # anti-spoof antispoof for $lan_if inet # pass on lo set skip on lo # default, deny everything block in log all # out is ok pass out quick # pass inet4 and inet6 traffic in on wifi and lan pass in on $wifi_if inet pass in on $wifi_if inet6 pass in on $lan_if inet pass in on $lan_if inet6 # icmp all good pass out inet proto icmp from any to any keep state pass in quick inet proto icmp from any to any keep state

I allow all IP4 and IP6 traffic in on the wifi interface.

I don't have a web interface yet; I've had some trouble reliably compiling on the current builds of FreeBSD ARM. However, I'm sure that'll be worked out shortly.