Date: Fri, 21 Dec 2007 13:55:21 GMT From: Gabor Kovesdan <gabor@FreeBSD.org> To: Perforce Change Reviews <perforce@freebsd.org> Subject: PERFORCE change 131369 for review Message-ID: <200712211355.lBLDtLTE013496@repoman.freebsd.org>
next in thread | raw e-mail | index | archive | help
http://perforce.freebsd.org/chv.cgi?CH=131369 Change 131369 by gabor@gabor_server on 2007/12/21 13:55:19 IFC Affected files ... .. //depot/projects/docproj_hu/books/handbook/advanced-networking/chapter.sgml#3 integrate Differences ... ==== //depot/projects/docproj_hu/books/handbook/advanced-networking/chapter.sgml#3 (text+ko) ==== @@ -1,7 +1,7 @@ <!-- The FreeBSD Documentation Project - $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.400 2007/09/12 11:47:33 murray Exp $ + $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.404 2007/12/20 22:21:44 gabor Exp $ --> <chapter id="advanced-networking"> @@ -901,8 +901,8 @@ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput> SSID BSSID CHAN RATE S:N INT CAPS -dlinkap 00:13:46:49:41:76 6 54M 29:0 100 EPS WPA WME -freebsdap 00:11:95:c3:0d:ac 1 54M 22:0 100 EPS WPA</screen> +dlinkap 00:13:46:49:41:76 6 54M 29:3 100 EPS WPA WME +freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS WPA</screen> <note> <para>You must mark the interface <option>up</option> @@ -1143,7 +1143,7 @@ parameters you have set up for selecting an access point:</para> - <programlisting>ifconfig_ath0="inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>your_ssid_here</replaceable>"</programlisting> + <programlisting>ifconfig_ath0="ssid <replaceable>your_ssid_here</replaceable> inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable>"</programlisting> </sect5> <sect4 id="network-wireless-wpa"> @@ -1635,8 +1635,8 @@ <para>WEP can be set up with <command>ifconfig</command>:</para> - <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid my_net \ - wepmode on weptxkey 3 wepkey 3:0x3456789012</userinput></screen> + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012 \ + inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput></screen> <itemizedlist> <listitem> @@ -1698,7 +1698,7 @@ <para>On the box <hostid>A</hostid>:</para> - <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc</userinput> + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput> &prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput> ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 @@ -1717,14 +1717,14 @@ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput> SSID BSSID CHAN RATE S:N INT CAPS - freebsdap 02:11:95:c3:0d:ac 2 54M 19:0 100 IS</screen> + freebsdap 02:11:95:c3:0d:ac 2 54M 19:3 100 IS</screen> <para>The <literal>I</literal> in the output confirms the machine <hostid>A</hostid> is in ad-hoc mode. We just have to configure <hostid>B</hostid> with a different IP address:</para> - <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc</userinput> + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput> &prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput> ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 @@ -1739,6 +1739,305 @@ ready to exchange informations.</para> </sect2> + <sect2 id="network-wireless-ap"> + <title>&os; Host Access Points</title> + + <para>&os; can act as an Access Point (AP) which eliminates the + need to buy a hardware AP or run an ad-hoc network. This can be + particularly useful when your &os; machine is acting as a + gateway to another network (e.g., the Internet).</para> + + <sect3 id="network-wireless-ap-basic"> + <title>Basic Settings</title> + + <para>Before configuring your &os; machine as an AP, the + kernel must be configured with the appropriate wireless + networking support for your wireless card. You also have to + add the support for the security protocols you intend to + use. For more details, see <xref + linkend="network-wireless-basic">.</para> + + <note> + <para>The use of the NDIS driver wrapper and the &windows; + drivers do not allow currently the AP operation. Only + native &os; wireless drivers support AP mode.</para> + </note> + + <para>Once the wireless networking support is loaded, you can + check if your wireless device supports the host-based access + point mode (also know as hostap mode):</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> list caps</userinput> +ath0=783ed0f<WEP,TKIP,AES,AES_CCM,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME></screen> + + <para>This output displays the card capabilities; the + <literal>HOSTAP</literal> word confirms this wireless card + can act as an Access Point. Various supported ciphers are + also mentioned: WEP, TKIP, WPA2, etc., these informations + are important to know what security protocols could be set + on the Access Point.</para> + + <para>The wireless device can now be put into hostap mode and + configured with the correct SSID and IP address:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mode 11g mediaopt hostap</userinput> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></screen> + + <para>Use again <command>ifconfig</command> to see the status + of the <devicename>ath0</devicename> interface:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput> + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode OPEN privacy OFF txpowmax 38 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100</screen> + + <para>The <literal>hostap</literal> parameter indicates the + interface is running in the host-based access point + mode.</para> + + <para>The interface configuration can be done automatically at + boot time by adding the following line to + <filename>/etc/rc.conf</filename>:</para> + + <programlisting>ifconfig_ath0="ssid <replaceable>freebsdap</replaceable> mode 11g mediaopt hostap inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable>"</programlisting> + </sect3> + + <sect3> + <title>Host-based Access Point without Authentication or + Encryption</title> + + <para>Although it is not recommended to run an AP without any + authentication or encryption, this is a simple way to check + if your AP is working. This configuration is also important + for debugging client issues.</para> + + <para>Once the AP configured as previously shown, it is + possible from another wireless machine to initiate a scan to + find the AP:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput> +SSID BSSID CHAN RATE S:N INT CAPS +freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 ES</screen> + + <para>The client machine found the Access Point and can be + associated with it:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput> +&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput> + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100</screen> + </sect3> + + <sect3> + <title>WPA Host-based Access Point</title> + + <para>This section will focus on setting up &os; Access Point + using the WPA security protocol. More details regarding WPA + and the configuration of WPA-based wireless clients can be + found in the <xref linkend="network-wireless-wpa">.</para> + + <para>The <application>hostapd</application> daemon is used to + deal with client authentication and keys management on the + WPA enabled Access Point.</para> + + <para>In the following, all the configuration operations will + be performed on the &os; machine acting as AP. Once the + AP is correctly working, <application>hostapd</application> + should be automatically enabled at boot with the following + line in <filename>/etc/rc.conf</filename>:</para> + + <programlisting>hostapd_enable="YES"</programlisting> + + <para>Before trying to configure + <application>hostapd</application>, be sure you have done + the basic settings introduced in the <xref + linkend="network-wireless-ap-basic">.</para> + + <sect4> + <title>WPA-PSK</title> + + <para>WPA-PSK is intended for small networks where the use + of an backend authentication server is not possible or + desired.</para> + + <para>The configuration is done in the + <filename>/etc/hostapd.conf</filename> file:</para> + + <programlisting>interface=ath0 <co id="co-ap-wpapsk-iface"> +debug=1 <co id="co-ap-wpapsk-dbug"> +ctrl_interface=/var/run/hostapd <co id="co-ap-wpapsk-ciface"> +ctrl_interface_group=wheel <co id="co-ap-wpapsk-cifacegrp"> +ssid=freebsdap <co id="co-ap-wpapsk-ssid"> +wpa=1 <co id="co-ap-wpapsk-wpa"> +wpa_passphrase=freebsdmall <co id="co-ap-wpapsk-pass"> +wpa_key_mgmt=WPA-PSK <co id="co-ap-wpapsk-kmgmt"> +wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"></programlisting> + + <calloutlist> + <callout arearefs="co-ap-wpapsk-iface"> + <para>This field indicates the wireless interface used + for the Access Point.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-dbug"> + <para>This field sets the level of verbosity during the + execution of <application>hostapd</application>. A + value of <literal>1</literal> represents the minimal + level.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-ciface"> + <para>The <literal>ctrl_interface</literal> field gives + the pathname of the directory used by + <application>hostapd</application> to stores its + domain socket files for the communication with + external programs such as &man.hostapd.cli.8;. The + default value is used here.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-cifacegrp"> + <para>The <literal>ctrl_interface_group</literal> line + sets the group (here, it is the + <groupname>wheel</groupname> group) allowed to access + to the control interface files.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-ssid"> + <para>This field sets the network name.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-wpa"> + <para>The <literal>wpa</literal> field enables WPA and + specifies which WPA authentication protocol will be + required. A value of <literal>1</literal> configures the + AP for WPA-PSK.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-pass"> + <para>The <literal>wpa_passphrase</literal> field + contains the ASCII passphrase for the WPA + authentication.</para> + + <warning> + <para>Always use strong passwords that are + sufficiently long and made from a rich alphabet so + they will not be guessed and/or attacked.</para> + </warning> + </callout> + + <callout arearefs="co-ap-wpapsk-kmgmt"> + <para>The <literal>wpa_key_mgmt</literal> line refers to + the key management protocol we use. In our case it is + WPA-PSK.</para> + </callout> + + <callout arearefs="co-ap-wpapsk-pwise"> + <para>The <literal>wpa_pairwise</literal> field + indicates the set of accepted encryption algorithms by + the Access Point. Here both TKIP (WPA) and CCMP + (WPA2) ciphers are accepted. CCMP cipher is an + alternative to TKIP and that is strongly preferred + when possible; TKIP should be used solely for stations + incapable of doing CCMP.</para> + </callout> + </calloutlist> + + <para>The next step is to start + <application>hostapd</application>:</para> + + <screen>&prompt.root <userinput>/etc/rc.d/hostapd forcestart</userinput></screen> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput> + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen> + + <para>The Access Point is running, the clients can now be + associated with it, see <xref + linkend="network-wireless-wpa"> for more details. It is + possible to see the stations associated with the AP using + the <command>ifconfig <replaceable>ath0</replaceable> list + sta</command> command.</para> + </sect4> + </sect3> + + <sect3> + <title>WEP Host-based Access Point</title> + + <para>It is not recommended to use WEP for setting up an + Access Point since there is no authentication mechanism and + it is easily to be cracked. Some legacy wireless cards only + support WEP as security protocol, these cards will only + allow to set up AP without authentication or encryption or + using the WEP protocol.</para> + + <para>The wireless device can now be put into hostap mode and + configured with the correct SSID and IP address:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g mediaopt hostap \ + inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput></screen> + + <itemizedlist> + <listitem> + <para>The <literal>weptxkey</literal> means which WEP + key will be used in the transmission. Here we used the + third key (note that the key numbering starts with + <literal>1</literal>). This parameter must be specified + to really encrypt the data.</para> + </listitem> + + <listitem> + <para>The <literal>wepkey</literal> means setting the + selected WEP key. It should in the format + <replaceable>index:key</replaceable>, if the index is + not given, key <literal>1</literal> is set. That is + to say we need to set the index if we use keys other + than the first key.</para> + </listitem> + </itemizedlist> + + <para>Use again <command>ifconfig</command> to see the status + of the <devicename>ath0</devicename> interface:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput> + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen> + + <para>From another wireless machine, it is possible to initiate + a scan to find the AP:</para> + + <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput> +SSID BSSID CHAN RATE S:N INT CAPS +freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS</screen> + + <para>The client machine found the Access Point and can be + associated with it using the correct parameters (key, etc.), + see <xref linkend="network-wireless-wep"> for more + details.</para> + </sect3> + </sect2> + <sect2> <title>Troubleshooting</title> @@ -2773,6 +3072,21 @@ </sect3> <sect3> + <title>Address limits</title> + + <para>The number of unique source MAC addresses behind an + interface can limited. Once the limit is reached packets + with unknown source addresses are dropped until an + existing host cache entry expires or is removed.</para> + + <para>The following example sets the maximum number of Ethernet + devices for <hostid role="Hostname">CustomerA</hostid> on + <literal>vlan100</literal> to 10.</para> + + <screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen> + </sect3> + + <sect3> <title>SNMP Monitoring</title> <para>The bridge interface and STP parameters can be monitored
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200712211355.lBLDtLTE013496>