FreeBSD12 Atheros 无线网卡AP模式设置

内核版本：

# uname -a
FreeBSD XMAN 12.0-RELEASE FreeBSD 12.0-RELEASE r341666 GENERIC  amd64

驱动设置

找到要使用的驱动程序ath0

# sysctl net.wlan.devices
net.wlan.devices: ath0

可以通过下面的命令找到相应的硬件：

# pciconf -lv ath0
ath0@pci0:2:0:0:        class=0x028000 card=0xe052105b chip=0x0034168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR9462 Wireless Network Adapter'
    class      = network

加载模块，修改 /boot/loader.conf 后reboot重启

# cat /boot/loader.conf
if_ath_load="YES"
if_wi_load="YES"
if_ath_pci_load="YES"
wlan_wep_load="YES"
wlan_ccmp_load="YES"
wlan_tkip_load="YES"

无线AP设置

加载无线网络支持后，检查无线设备是否支持基于主机的接入点模式，也称为hostap模式:

# ifconfig wlan0 create wlandev ath0
# ifconfig wlan0 list caps
drivercaps=4f8def41<STA,FF,IBSS,PMGT,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,MBSS,WPA1,WPA2,BURST,WME,WDS,TXFRAG>
cryptocaps=1f<WEP,TKIP,AES,AES_CCM,TKIPMIC>
htcaps=20701ef<LDPC,CHWIDTH40,SHORTGI20,SHORTGI40,TXSTBC>

这里打印了 HOSTAP，证实了这张无线网卡可以充当AP。还列出了各种支持的加密方式：WEP， TKIP和AES。此信息指示可以在AP上使用哪些安全协议。

无线设备只能在创建网络设备时进入hostap模式，因此必须首先销毁先前创建的设备:

# ifconfig wlan0 destroy

然后在设置其他参数之前使用正确的选项重新生成:

# ifconfig wlan0 create wlandev ath0 wlanmode hostap
# ifconfig wlan0 inet 10.10.10.1 netmask 255.255.255.0 ssid freebsdap mode 11g channel 1

再次通过ifconfig 查看wlan0接口状态：

# ifconfig wlan0
wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
 ether 3c:77:e6:50:2a:69
 inet 10.10.10.1 netmask 0xffffff00 broadcast 10.10.10.255
 groups: wlan
 ssid freebsdap channel 1 (2412 MHz 11g ht/20) bssid 3c:77:e6:50:2a:69
 regdomain 108 indoor ecm authmode OPEN privacy OFF txpower 20
 scanvalid 60 protmode CTS ampdulimit 64k ampdudensity 8 shortgi wme
 burst dtimperiod 1 -dfs
 media: IEEE 802.11 Wireless Ethernet autoselect mode 11ng <hostap>
 status: running
 nd6 options=29<PERFORMNUD,IFDISABLED,AUTO_LINKLOCAL>

将下面的参数添加到 /etc/rc.conf ，在引导时自动完成配置：

wlans_ath0="wlan0"
hostapd_enable="YES"
create_args_wlan0="wlanmode hostap"
ifconfig_wlan0="inet 10.10.10.1 netmask 255.255.255.0 ssid freebsdap mode 11g channel 1"

还需要配置WPA2安全协议，这样才能安全运行AP

配置 /etc/hostapd.conf :

# vim /etc/hostapd.conf
interface=wlan0
debug=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=freebasap
wpa=2
wpa_passphrase=freebsdmall #password
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP

启动hostapd服务

# service hostapd forcestart
Starting hostapd.
Configuration file: /etc/hostapd.conf
Using interface wlan0 with hwaddr 3c:77:e6:50:2a:69 and ssid "freebasap"
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED

到了这一步移动设备应该可以看到SSID了，也可以对接入点进行身份验证，但是只能通过设置静态IP连接，并且无法连接公网

无线DHCP服务设置

设置DHCP服务器，需要使用DHCPd守护程序监听wlan0接口的ip地址：

安装ISC的dhcpd服务器：

cd usr/ports/net/isc-dhcp44-server/
make install clean

执行上述指令后将出现如下画面

使用默认设置即可

安装完后，在 /usr/local/etc/ 生成dhcpd.conf.sample 和 dhcpd.conf 我们对dhcpd.conf进行修改

# cat usr/local/etc/dhcpd.conf

option domain-name "freebsd.org";
option domain-name-servers 8.8.8.8;
default-lease-time 86400;
max-lease-time 86400;
log-facility local7;
ddns-update-style none;
subnet 10.10.10.0 netmask 255.255.255.0 {
  range 10.10.10.100 10.10.10.150;
  option domain-name-servers 8.8.8.8;
  option domain-name "freebsd.org";
  option routers 10.10.10.1;
  option broadcast-address 10.10.10.255;
  default-lease-time 3600;
  max-lease-time 7200;
}

启动服务 service isc-dhcpd start 后连接AP，移动设备可以自动获取到ip，但还不能访问网络

# service isc-dhcpd start
Starting dhcpd.
Internet Systems Consortium DHCP Server 4.4.1
Copyright 2004-2018 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/
Config file: /usr/local/etc/dhcpd.conf
Database file: /var/db/dhcpd/dhcpd.leases
PID file: /var/run/dhcpd/dhcpd.pid
Wrote 0 leases to leases file.
Listening on BPF/wlan0/3c:77:e6:50:2a:69/10.10.10.0/24
Sending on   BPF/wlan0/3c:77:e6:50:2a:69/10.10.10.0/24
Sending on   Socket/fallback/fallback-net

FreeBSD PF防火墙设设置

启动FreeBSD的网关模式，允许数据包从wifi转发到lan口，修改配置 /etc/rc.conf

## allow packets to be passed from one network interface to another
gateway_enable="YES" # Enable as LAN gateway
## PF firewall
pf_enable="YES"                 # Enable PF (load module if required)
pf_rules="/etc/pf.conf"         # rules definition file for pf
pf_flags=""                     # additional flags for pfctl start up
pflog_enable="YES"              # To enable logging support
pflog_logfile="/var/log/pflog"  # where pflogd should store the logfile
pflog_flags=""                  # additional flags for pflogd start up

保存所需的编辑后，可以通过键入以下内容 来启动PF以获取日志记录支持：

# service pf start
# service pflog start

启用网关数据转发，转发IPV4数据包：

# sysctl net.inet.ip.forwarding=1   #forward IPv4 packets
# sysctl net.inet6.ip6.forwarding=1 ##IPV6

注意如果要转发IPV6，在 /etc/rc.conf 中需要添加 ipv6_gateway_enable =“YES”

FreeBSD安装包 示例文件路径： /usr/share/examples/pf/
以下是个简单的Pf防火墙配置，允许所有通过无线网卡的数据包到有线网卡LAN。有线网卡是igb0接口，无线网卡是wlan0接口。

# vim etc/pf.conf
#block in all  
#pass out all keep state       #allows all
#interfaces
lan_if="igb0"
wifi_if="wlan0"
localnet=$wifi_if:network
#NAT
nat on $lan_if from $localnet to any -> ($lan_if)
block all
block in log all
pass out log quick
#pass inet4 and inet6 traffic in on wifi and lan
pass in log on $wifi_if inet
pass in log on $lan_if inet

pass from {lo0, $localnet} to any keep state

执行 pfctl -f /etc/pf.conf 刷新过滤器，连接WIFI就可以访问网络了。

无线连接接入完成！

参考文档1：https://www.freebsd.org/doc/handbook/network-wireless.html

参考文档2：https://calomel.org/freebsd_wireless_access_point.html