FreeBSDwiki - User contributions [en]

Openvpn with fixed ips

2008-07-11T22:02:39Z

GNUtoo:

==Introduction==
We already explored openvpn with dhcp...here we will have fixed ips without dhcp...here's the setting:
*isc-dhcp40-server
*bind95
*openvpn
with this setup we will be able to see the internal network from an external connection:

==Setup==
here's openvpn.conf:
ca /usr/local/etc/openvpn/keys/ca.crt
cert /usr/local/etc/openvpn/keys/server.crt
key /usr/local/etc/openvpn/keys/server.key
dh /usr/local/etc/openvpn/keys/dh1024.pem
# USE TAP ON SERVER AND CLIENT SIDE !
dev tap
#ifconfig-pool-persist ipp.txt
# replace 192.168.1.101 with the VPN IP
server-bridge 192.168.0.1 255.255.254.0 192.168.0.2 192.168.0.250
keepalive 10 120
client-to-client
verb 3
duplicate-cn
push "route-gateway 192.168.0.1"
push "dhcp-option DNS 192.168.0.1" # push DNS entries to openvpn client
push "redirect-gateway"
#redirect-gateway
client-config-dir /usr/local/etc/openvpn/config

here's the content of a client config in /usr/local/etc/openvpn/config i named this file with the name of the certificate: port4 : that is needed so it will assign this ip to the owner of the port4 certificate
ifconfig-push 192.168.0.107 255.255.254.0

here's the content of /usr/local/etc/dhcpd.conf
option domain-name "workgroup";
ddns-update-style none;
class "openvpn" {
match if substring (hardware,1,2) = 00:ff;
}

subnet 192.168.1.0 netmask 255.255.255.0 {
option routers 192.168.1.1;
option domain-name-servers 192.168.1.1;
pool {
deny members of "openvpn";
allow unknown-clients;
allow known-clients;
ddns-updates off;
range 192.168.1.100 192.168.1.199;
}
}

host port4 {
hardware ethernet 00:16:6f:b9:02:a4;
fixed-address 192.168.1.107;
}
here we match for mac address that starts by 00:ff,because tap devices do,and we assign them to the openvpn class...
then we allow known and unknown clients but deny the right of the client's tap interface to get an ip in this range
then at the end we assign an ip to a client...that makes the ports redirections easier

here's my bind configuration:
// $FreeBSD: src/etc/namedb/named.conf,v 1.26.4.1 2008/01/13 20:48:23 dougb Exp $
//
// Refer to the named.conf(5) and named(8) man pages, and the documentation
// in /usr/share/doc/bind9 for more details.
//
// If you are going to set up an authoritative server, make sure you
// understand the hairy details of how DNS works. Even with
// simple mistakes, you can break connectivity for affected parties,
// or cause huge amounts of useless Internet traffic.

options {
// Relative to the chroot directory, if any
directory "/etc/namedb";
pid-file "/var/run/named/pid";
dump-file "/var/dump/named_dump.db";
statistics-file "/var/stats/named.stats";

// If named is being used only as a local resolver, this is a safe default.
// For named to be accessible to the network, comment this option, specify
// the proper IP address, or delete this option.
listen-on { 127.0.0.1; 192.168.0.1; 192.168.1.1; };

// If you have IPv6 enabled on this system, uncomment this option for
// use as a local resolver. To give access to the network, specify
// an IPv6 address, or the keyword "any".
// listen-on-v6 { ::1; };

// These zones are already covered by the empty zones listed below.
// If you remove the related empty zones below, comment these lines out.
disable-empty-zone "255.255.255.255.IN-ADDR.ARPA";
disable-empty-zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";
disable-empty-zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA";

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
// forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below. This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.
/*
forwarders {
127.0.0.1;
};
*/
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND versions 8 and later
* use a pseudo-random unprivileged UDP port by default.
*/
// query-source address * port 53;
};

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

// The traditional root hints mechanism. Use this, OR the slave zones below.
//zone "." { type hint; file "named.root"; };

/* Slaving the following zones from the root name servers has some
significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
3. Greater resilience to any potential root server failure/DDoS

On the other hand, this method requires more monitoring than the
hints file to be sure that an unexpected failure mode has not
incapacitated your server. Name servers that are serving a lot
of clients will benefit more from this approach than individual
hosts. Use with caution.

To use this mechanism, uncomment the entries below, and comment
the hint zone above.
*/

zone "." {
type slave;
file "slave/root.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "arpa" {
type slave;
file "slave/arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};
zone "in-addr.arpa" {
type slave;
file "slave/in-addr.arpa.slave";
masters {
192.5.5.241; // F.ROOT-SERVERS.NET.
};
notify no;
};

/* Serving the following zones locally will prevent any queries
for these zones leaving your network and going to the root
name servers. This has two significant advantages:
1. Faster local resolution for your users
2. No spurious traffic will be sent from your network to the roots
*/
// RFC 1912
zone "localhost" { type master; file "master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "master/empty.db"; };

// RFC 1912-style zone for IPv6 localhost address
zone "0.ip6.arpa" { type master; file "master/localhost-reverse.db"; };

// "This" Network (RFCs 1912 and 3330)
zone "0.in-addr.arpa" { type master; file "master/empty.db"; };

// Private Use Networks (RFC 1918)
zone "10.in-addr.arpa" { type master; file "master/empty.db"; };
zone "16.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "17.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "18.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "20.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "21.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "22.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "23.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "24.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "25.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "26.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "27.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "28.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "29.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "30.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "31.172.in-addr.arpa" { type master; file "master/empty.db"; };
zone "168.192.in-addr.arpa" { type master; file "master/empty.db"; };

// Link-local/APIPA (RFCs 3330 and 3927)
zone "254.169.in-addr.arpa" { type master; file "master/empty.db"; };

// TEST-NET for Documentation (RFC 3330)
zone "2.0.192.in-addr.arpa" { type master; file "master/empty.db"; };

// Router Benchmark Testing (RFC 3330)
zone "18.198.in-addr.arpa" { type master; file "master/empty.db"; };
zone "19.198.in-addr.arpa" { type master; file "master/empty.db"; };

// IANA Reserved - Old Class E Space
zone "240.in-addr.arpa" { type master; file "master/empty.db"; };
zone "241.in-addr.arpa" { type master; file "master/empty.db"; };
zone "242.in-addr.arpa" { type master; file "master/empty.db"; };
zone "243.in-addr.arpa" { type master; file "master/empty.db"; };
zone "244.in-addr.arpa" { type master; file "master/empty.db"; };
zone "245.in-addr.arpa" { type master; file "master/empty.db"; };
zone "246.in-addr.arpa" { type master; file "master/empty.db"; };
zone "247.in-addr.arpa" { type master; file "master/empty.db"; };
zone "248.in-addr.arpa" { type master; file "master/empty.db"; };
zone "249.in-addr.arpa" { type master; file "master/empty.db"; };
zone "250.in-addr.arpa" { type master; file "master/empty.db"; };
zone "251.in-addr.arpa" { type master; file "master/empty.db"; };
zone "252.in-addr.arpa" { type master; file "master/empty.db"; };
zone "253.in-addr.arpa" { type master; file "master/empty.db"; };
zone "254.in-addr.arpa" { type master; file "master/empty.db"; };

// IPv6 Unassigned Addresses (RFC 4291)
zone "1.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.ip6.arpa" { type master; file "master/empty.db"; };
zone "8.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.ip6.arpa" { type master; file "master/empty.db"; };
zone "c.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.ip6.arpa" { type master; file "master/empty.db"; };
zone "e.ip6.arpa" { type master; file "master/empty.db"; };
zone "0.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "1.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "2.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "8.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "0.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "1.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "2.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "3.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "4.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "5.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "6.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "7.e.f.ip6.arpa" { type master; file "master/empty.db"; };

// IPv6 ULA (RFC 4193)
zone "c.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.f.ip6.arpa" { type master; file "master/empty.db"; };

// IPv6 Link Local (RFC 4291)
zone "8.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "9.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "a.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "b.e.f.ip6.arpa" { type master; file "master/empty.db"; };

// IPv6 Deprecated Site-Local Addresses (RFC 3879)
zone "c.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "d.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "e.e.f.ip6.arpa" { type master; file "master/empty.db"; };
zone "f.e.f.ip6.arpa" { type master; file "master/empty.db"; };

// IP6.INT is Deprecated (RFC 4159)
zone "ip6.int" { type master; file "master/empty.db"; };

// NB: Do not use the IP addresses below, they are faked, and only
// serve demonstration/documentation purposes!
//
// Example slave zone config entries. It can be convenient to become
// a slave at least for the zone your own domain is in. Ask
// your network administrator for the IP address of the responsible
// master name server.
//
// Do not forget to include the reverse lookup zone!
// This is named after the first bytes of the IP address, in reverse
// order, with ".IN-ADDR.ARPA" appended, or ".IP6.ARPA" for IPv6.
//
// Before starting to set up a master zone, make sure you fully
// understand how DNS and BIND work. There are sometimes
// non-obvious pitfalls. Setting up a slave zone is usually simpler.
//
// NB: Don't blindly enable the examples below. :-) Use actual names
// and addresses instead.

/* An example dynamic zone
key "exampleorgkey" {
algorithm hmac-md5;
secret "sf87HJqjkqh8ac87a02lla==";
};
zone "example.org" {
type master;
allow-update {
key "exampleorgkey";
};
file "dynamic/example.org";
};
*/

/* Example of a slave reverse zone
zone "1.168.192.in-addr.arpa" {
type slave;
file "slave/1.168.192.in-addr.arpa";
masters {
192.168.1.1;
};
};
*/

zone "workgroup" {
type master;
file "master/workgroup";
};

and here's my local "workgroup" file that lies in /etc/namedb/master/workgroup

$TTL 3600 ; 1 hour
workgroup. IN SOA 192.168.1.1 admin.workgroup. (
2008071102 ; Serial
10800 ; Refresh
3600 ; Retry
604800 ; Expire
86400 ; Minimum TTL
)
; DNS Servers
IN NS 192.168.1.1
IN NS 192.168.1.1

; Machine Names
localhost IN A 127.0.0.1
router IN A 192.168.1.1
port4 IN A 192.168.1.107
; Aliases
www

basically i followed the comments in the file and have set-up a slave...
i've also changed on what interface it listen...

Openvpn with fixed ips

2008-07-11T21:58:48Z

GNUtoo:

Openvpn with fixed ips

2008-07-11T21:51:01Z

GNUtoo:

Openvpn with fixed ips

2008-07-11T21:48:05Z

GNUtoo:

2008-06-12T22:40:35Z

GNUtoo:

PPPOE, access point

2008-06-04T22:08:04Z

2008-05-31T22:17:22Z

GNUtoo: /* Introduction */

Talk:AccessPoint

2008-05-31T22:15:54Z

GNUtoo:

i'll add the ppp section later...

AccessPoint

2008-05-31T22:14:50Z

GNUtoo: /* Nat and firewall */

==Introduction==
FreeBSD is very well suited to be used as an access point,because it has out of the box support of the master mode for a variety of cards such as ralink,atheros cards.
Under GNU/Linux you have to:
*use a kernel that is not out yet(2.6.26-rc4)
*patch the kernel with the patch named allow-ap-vlan-modes.patch from http://johannes.sipsolutions.net/patches/kernel/all/LATEST/
*compile a recent libnl(i used libnl-1.1-r1 in gentoo) against the kernel
*in gentoo you need to copy nl80211.h from your kenrel directory to /usr/include/linux
*then finally you need to compile a git version of hostapd...
at the end i got a system that is working with broadcom not ralink ones(made my computer freeze)
only in order to have the wifi card working as access point...
under FreeBSD it's a lot more easy and more stable(we don't use git or patches)

==The hardware==
i used:
*2 realtech pci 10/100 cards,in FreeBSD they are recognized as rl0 and rl1(maybe there is the possibility to use interfaces aliasing but as i had 2 cards...)
*a ralink rt2500 pci card,in FreeBSD it's recognized as ral0

==The installation and configuration==
*install FreeBSD as usual(i used FreeBSD 7.0)
*enable ssh logins during the installation or add this in your /etc/rc.conf:
sshd_enable="YES"
*if you have got a dhcp modem you can use add the following in your /etc/rc.conf(remplacing ral0 by your wired card interface name)
ifconfig_rl0="DHCP"
otherwise we'll see pppoe later...
===Wireless===
*then type the following command as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4
note that in the FreeBSD handbook inet is placed incorrectly,pay also attention to the channel 4...i tried it without it and it didn't work
then try to associate with a client running an operating system such as *BSD or GNU/Linux and ping it:
if something goes wrong(ping doesn't work) simply type dmesg and look for message about your wifi card(such as associations messages)
under GNU/Linux type as root(remplacing wlan0 by your wifi card interface name):
ifconfig wlan0 up
iwlist wlan0 scan
iwconfig wlan0 essid "freebsdap"
ifconfig wlan0 192.168.1.100 netmask 255.255.255.0
ping 192.168.1.1
under FreeBSD type as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 up
ifconfig ral0 list scan
ifconfig ral0 inet 192.168.1.100 netmask 255.255.255.0 ssid freebsdap
ping 192.168.1.1
then if you can see the wireless and can ping it simply add the following to /etc/rc.conf:
ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"
===dns and dhcp===
your wireless is now working...so we can install a dns and dhcp server...
for simplicity we will use dnsmasq
type the following as root:
cd /usr/ports/dns/dnsmasq
make config
then unselect ipv6 unless you need it
and unselect dbus because we won't use it
then type the following as root:
make
make install
then we will need to configure dnsmasq:
edit /usr/local/etc/dnsmasq.conf with your favorite editor and add the following:
# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries

# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=workgroup
expand-hosts
#resolv-file=/tmp/resolv.conf.auto

dhcp-authoritative
#dhcp-leasefile=/tmp/dhcp.leases

# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers

# other useful options:
# default route(s):
dhcp-option=3,192.168.1.1
# dns server(s):
dhcp-option=6,192.168.1.1

dhcp-range=192.168.1.100,192.168.1.255,255.255.255.0,12h
the file don't need to be explained but read-ethers...
read ethers permit you to assign static ip to certain mac address
so edit /etc/ethers with entries like this:
00:14:85:11:EF:02 192.168.1.106
and in order to give a dns name to this entry edit /etc/hosts and add an entry like this:
192.168.1.106 Ralink

then in order to start your dnsmasq server at boot you need to add the following to /etc/rc.conf:
dnsmasq_enable="YES"

you can now test the wifi connection with any graphical tool(like NetworkManager in GNU/linux or even test it with a windows computer)
you can even try to ping a website...but you will only get his ip and no response...that's because we didn't set up the NAT yet...

==Nat and firewall==
in order to set the nat we will add this to /etc/rc.conf:(remplacing ral0 by your wired card(that is connected to the internet) interface name)::
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="rl0"
natd_flags=""
if you wish to redirect ports add this to natd_flags="" in /etc/rc.conf:
-redirect_port tcp 192.168.0.6:80 80

now normally the access point should work...

AccessPoint

2008-05-31T22:11:54Z

GNUtoo:

==Introduction==
FreeBSD is very well suited to be used as an access point,because it has out of the box support of the master mode for a variety of cards such as ralink,atheros cards.
Under GNU/Linux you have to:
*use a kernel that is not out yet(2.6.26-rc4)
*patch the kernel with the patch named allow-ap-vlan-modes.patch from http://johannes.sipsolutions.net/patches/kernel/all/LATEST/
*compile a recent libnl(i used libnl-1.1-r1 in gentoo) against the kernel
*in gentoo you need to copy nl80211.h from your kenrel directory to /usr/include/linux
*then finally you need to compile a git version of hostapd...
at the end i got a system that is working with broadcom not ralink ones(made my computer freeze)
only in order to have the wifi card working as access point...
under FreeBSD it's a lot more easy and more stable(we don't use git or patches)

==The hardware==
i used:
*2 realtech pci 10/100 cards,in FreeBSD they are recognized as rl0 and rl1(maybe there is the possibility to use interfaces aliasing but as i had 2 cards...)
*a ralink rt2500 pci card,in FreeBSD it's recognized as ral0

==The installation and configuration==
*install FreeBSD as usual(i used FreeBSD 7.0)
*enable ssh logins during the installation or add this in your /etc/rc.conf:
sshd_enable="YES"
*if you have got a dhcp modem you can use add the following in your /etc/rc.conf(remplacing ral0 by your wired card interface name)
ifconfig_rl0="DHCP"
otherwise we'll see pppoe later...
===Wireless===
*then type the following command as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4
note that in the FreeBSD handbook inet is placed incorrectly,pay also attention to the channel 4...i tried it without it and it didn't work
then try to associate with a client running an operating system such as *BSD or GNU/Linux and ping it:
if something goes wrong(ping doesn't work) simply type dmesg and look for message about your wifi card(such as associations messages)
under GNU/Linux type as root(remplacing wlan0 by your wifi card interface name):
ifconfig wlan0 up
iwlist wlan0 scan
iwconfig wlan0 essid "freebsdap"
ifconfig wlan0 192.168.1.100 netmask 255.255.255.0
ping 192.168.1.1
under FreeBSD type as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 up
ifconfig ral0 list scan
ifconfig ral0 inet 192.168.1.100 netmask 255.255.255.0 ssid freebsdap
ping 192.168.1.1
then if you can see the wireless and can ping it simply add the following to /etc/rc.conf:
ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"
===dns and dhcp===
your wireless is now working...so we can install a dns and dhcp server...
for simplicity we will use dnsmasq
type the following as root:
cd /usr/ports/dns/dnsmasq
make config
then unselect ipv6 unless you need it
and unselect dbus because we won't use it
then type the following as root:
make
make install
then we will need to configure dnsmasq:
edit /usr/local/etc/dnsmasq.conf with your favorite editor and add the following:
# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries

# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=workgroup
expand-hosts
#resolv-file=/tmp/resolv.conf.auto

dhcp-authoritative
#dhcp-leasefile=/tmp/dhcp.leases

# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers

# other useful options:
# default route(s):
dhcp-option=3,192.168.1.1
# dns server(s):
dhcp-option=6,192.168.1.1

dhcp-range=192.168.1.100,192.168.1.255,255.255.255.0,12h
the file don't need to be explained but read-ethers...
read ethers permit you to assign static ip to certain mac address
so edit /etc/ethers with entries like this:
00:14:85:11:EF:02 192.168.1.106
and in order to give a dns name to this entry edit /etc/hosts and add an entry like this:
192.168.1.106 Ralink

then in order to start your dnsmasq server at boot you need to add the following to /etc/rc.conf:
dnsmasq_enable="YES"

you can now test the wifi connection with any graphical tool(like NetworkManager in GNU/linux or even test it with a windows computer)
you can even try to ping a website...but you will only get his ip and no response...that's because we didn't set up the NAT yet...

==Nat and firewall==
in order to set the nat we will add this to /etc/rc.conf:(remplacing ral0 by your wired card(that is connected to the internet) interface name)::
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="rl0"
natd_flags=""

now normally the access point should work...

AccessPoint

2008-05-31T22:10:37Z

GNUtoo:

==Introduction==
FreeBSD is very well suited to be used as an access point,because it has out of the box support of the master mode for a variety of cards such as ralink,atheros cards.
Under GNU/Linux you have to:
*use a kernel that is not out yet(2.6.26-rc4)
*patch the kernel with the patch named allow-ap-vlan-modes.patch from http://johannes.sipsolutions.net/patches/kernel/all/LATEST/
*compile a recent libnl(i used libnl-1.1-r1 in gentoo) against the kernel
*in gentoo you need to copy nl80211.h from your kenrel directory to /usr/include/linux
*then finally you need to compile a git version of hostapd...
at the end i got a system that is working with broadcom not ralink ones(made my computer freeze)

under FreeBSD it's a lot more easy

==The hardware==
i used:
*2 realtech pci 10/100 cards,in FreeBSD they are recognized as rl0 and rl1(maybe there is the possibility to use interfaces aliasing but as i had 2 cards...)
*a ralink rt2500 pci card,in FreeBSD it's recognized as ral0

==The installation and configuration==
*install FreeBSD as usual(i used FreeBSD 7.0)
*enable ssh logins during the installation or add this in your /etc/rc.conf:
sshd_enable="YES"
*if you have got a dhcp modem you can use add the following in your /etc/rc.conf(remplacing ral0 by your wired card interface name)
ifconfig_rl0="DHCP"
otherwise we'll see pppoe later...
===Wireless===
*then type the following command as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4
note that in the FreeBSD handbook inet is placed incorrectly,pay also attention to the channel 4...i tried it without it and it didn't work
then try to associate with a client running an operating system such as *BSD or GNU/Linux and ping it:
if something goes wrong(ping doesn't work) simply type dmesg and look for message about your wifi card(such as associations messages)
under GNU/Linux type as root(remplacing wlan0 by your wifi card interface name):
ifconfig wlan0 up
iwlist wlan0 scan
iwconfig wlan0 essid "freebsdap"
ifconfig wlan0 192.168.1.100 netmask 255.255.255.0
ping 192.168.1.1
under FreeBSD type as root(remplacing ral0 by your wifi card interface name):
ifconfig ral0 up
ifconfig ral0 list scan
ifconfig ral0 inet 192.168.1.100 netmask 255.255.255.0 ssid freebsdap
ping 192.168.1.1
then if you can see the wireless and can ping it simply add the following to /etc/rc.conf:
ifconfig_ral0="inet 192.168.1.1 netmask 255.255.255.0 ssid freebsdap mediaopt hostap channel 4"
===dns and dhcp===
your wireless is now working...so we can install a dns and dhcp server...
for simplicity we will use dnsmasq
type the following as root:
cd /usr/ports/dns/dnsmasq
make config
then unselect ipv6 unless you need it
and unselect dbus because we won't use it
then type the following as root:
make
make install
then we will need to configure dnsmasq:
edit /usr/local/etc/dnsmasq.conf with your favorite editor and add the following:
# filter what we send upstream
domain-needed
bogus-priv
filterwin2k
localise-queries

# allow /etc/hosts and dhcp lookups via *.lan
local=/lan/
domain=workgroup
expand-hosts
#resolv-file=/tmp/resolv.conf.auto

dhcp-authoritative
#dhcp-leasefile=/tmp/dhcp.leases

# use /etc/ethers for static hosts; same format as --dhcp-host
# <hwaddr> <ipaddr>
read-ethers

# other useful options:
# default route(s):
dhcp-option=3,192.168.1.1
# dns server(s):
dhcp-option=6,192.168.1.1

dhcp-range=192.168.1.100,192.168.1.255,255.255.255.0,12h
the file don't need to be explained but read-ethers...
read ethers permit you to assign static ip to certain mac address
so edit /etc/ethers with entries like this:
00:14:85:11:EF:02 192.168.1.106
and in order to give a dns name to this entry edit /etc/hosts and add an entry like this:
192.168.1.106 Ralink

then in order to start your dnsmasq server at boot you need to add the following to /etc/rc.conf:
dnsmasq_enable="YES"

you can now test the wifi connection with any graphical tool(like NetworkManager in GNU/linux or even test it with a windows computer)
you can even try to ping a website...but you will only get his ip and no response...that's because we didn't set up the NAT yet...

==Nat and firewall==
in order to set the nat we will add this to /etc/rc.conf:(remplacing ral0 by your wired card(that is connected to the internet) interface name)::
gateway_enable="YES"
firewall_enable="YES"
firewall_type="OPEN"
natd_enable="YES"
natd_interface="rl0"
natd_flags=""

now normally the access point should work...