From owner-p4-projects@FreeBSD.ORG Fri Dec 21 13:55:27 2007 Return-Path: Delivered-To: p4-projects@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 32767) id CFC0816A46B; Fri, 21 Dec 2007 13:55:26 +0000 (UTC) Delivered-To: perforce@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7535316A421 for ; Fri, 21 Dec 2007 13:55:26 +0000 (UTC) (envelope-from gabor@freebsd.org) Received: from repoman.freebsd.org (repoman.freebsd.org [IPv6:2001:4f8:fff6::29]) by mx1.freebsd.org (Postfix) with ESMTP id 548FC13C474 for ; Fri, 21 Dec 2007 13:55:21 +0000 (UTC) (envelope-from gabor@freebsd.org) Received: from repoman.freebsd.org (localhost [127.0.0.1]) by repoman.freebsd.org (8.14.1/8.14.1) with ESMTP id lBLDtLfU013499 for ; Fri, 21 Dec 2007 13:55:21 GMT (envelope-from gabor@freebsd.org) Received: (from perforce@localhost) by repoman.freebsd.org (8.14.1/8.14.1/Submit) id lBLDtLTE013496 for perforce@freebsd.org; Fri, 21 Dec 2007 13:55:21 GMT (envelope-from gabor@freebsd.org) Date: Fri, 21 Dec 2007 13:55:21 GMT Message-Id: <200712211355.lBLDtLTE013496@repoman.freebsd.org> X-Authentication-Warning: repoman.freebsd.org: perforce set sender to gabor@freebsd.org using -f From: Gabor Kovesdan To: Perforce Change Reviews Cc: Subject: PERFORCE change 131369 for review X-BeenThere: p4-projects@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: p4 projects tree changes List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Dec 2007 13:55:27 -0000 http://perforce.freebsd.org/chv.cgi?CH=131369 Change 131369 by gabor@gabor_server on 2007/12/21 13:55:19 IFC Affected files ... .. //depot/projects/docproj_hu/books/handbook/advanced-networking/chapter.sgml#3 integrate Differences ... ==== //depot/projects/docproj_hu/books/handbook/advanced-networking/chapter.sgml#3 (text+ko) ==== @@ -1,7 +1,7 @@ @@ -901,8 +901,8 @@ &prompt.root; ifconfig ath0 up scan SSID BSSID CHAN RATE S:N INT CAPS -dlinkap 00:13:46:49:41:76 6 54M 29:0 100 EPS WPA WME -freebsdap 00:11:95:c3:0d:ac 1 54M 22:0 100 EPS WPA +dlinkap 00:13:46:49:41:76 6 54M 29:3 100 EPS WPA WME +freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS WPA You must mark the interface @@ -1143,7 +1143,7 @@ parameters you have set up for selecting an access point: - ifconfig_ath0="inet 192.168.1.100 netmask 255.255.255.0 ssid your_ssid_here" + ifconfig_ath0="ssid your_ssid_here inet 192.168.1.100 netmask 255.255.255.0" @@ -1635,8 +1635,8 @@ WEP can be set up with ifconfig: - &prompt.root; ifconfig ath0 inet 192.168.1.100 netmask 255.255.255.0 ssid my_net \ - wepmode on weptxkey 3 wepkey 3:0x3456789012 + &prompt.root; ifconfig ath0 ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012 \ + inet 192.168.1.100 netmask 255.255.255.0 @@ -1698,7 +1698,7 @@ On the box A: - &prompt.root; ifconfig ath0 inet 192.168.0.1 netmask 255.255.255.0 ssid freebsdap mediaopt adhoc + &prompt.root; ifconfig ath0 ssid freebsdap mediaopt adhoc inet 192.168.0.1 netmask 255.255.255.0 &prompt.root; ifconfig ath0 ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 @@ -1717,14 +1717,14 @@ &prompt.root; ifconfig ath0 up scan SSID BSSID CHAN RATE S:N INT CAPS - freebsdap 02:11:95:c3:0d:ac 2 54M 19:0 100 IS + freebsdap 02:11:95:c3:0d:ac 2 54M 19:3 100 IS The I in the output confirms the machine A is in ad-hoc mode. We just have to configure B with a different IP address: - &prompt.root; ifconfig ath0 inet 192.168.0.2 netmask 255.255.255.0 ssid freebsdap mediaopt adhoc + &prompt.root; ifconfig ath0 ssid freebsdap mediaopt adhoc inet 192.168.0.2 netmask 255.255.255.0 &prompt.root; ifconfig ath0 ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 @@ -1739,6 +1739,305 @@ ready to exchange informations. + + &os; Host Access Points + + &os; can act as an Access Point (AP) which eliminates the + need to buy a hardware AP or run an ad-hoc network. This can be + particularly useful when your &os; machine is acting as a + gateway to another network (e.g., the Internet). + + + Basic Settings + + Before configuring your &os; machine as an AP, the + kernel must be configured with the appropriate wireless + networking support for your wireless card. You also have to + add the support for the security protocols you intend to + use. For more details, see . + + + The use of the NDIS driver wrapper and the &windows; + drivers do not allow currently the AP operation. Only + native &os; wireless drivers support AP mode. + + + Once the wireless networking support is loaded, you can + check if your wireless device supports the host-based access + point mode (also know as hostap mode): + + &prompt.root; ifconfig ath0 list caps +ath0=783ed0f<WEP,TKIP,AES,AES_CCM,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME> + + This output displays the card capabilities; the + HOSTAP word confirms this wireless card + can act as an Access Point. Various supported ciphers are + also mentioned: WEP, TKIP, WPA2, etc., these informations + are important to know what security protocols could be set + on the Access Point. + + The wireless device can now be put into hostap mode and + configured with the correct SSID and IP address: + + &prompt.root; ifconfig ath0 ssid freebsdap mode 11g mediaopt hostap inet 192.168.0.1 netmask 255.255.255.0 + + Use again ifconfig to see the status + of the ath0 interface: + + &prompt.root; ifconfig ath0 + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode OPEN privacy OFF txpowmax 38 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100 + + The hostap parameter indicates the + interface is running in the host-based access point + mode. + + The interface configuration can be done automatically at + boot time by adding the following line to + /etc/rc.conf: + + ifconfig_ath0="ssid freebsdap mode 11g mediaopt hostap inet 192.168.0.1 netmask 255.255.255.0" + + + + Host-based Access Point without Authentication or + Encryption + + Although it is not recommended to run an AP without any + authentication or encryption, this is a simple way to check + if your AP is working. This configuration is also important + for debugging client issues. + + Once the AP configured as previously shown, it is + possible from another wireless machine to initiate a scan to + find the AP: + + &prompt.root; ifconfig ath0 up scan +SSID BSSID CHAN RATE S:N INT CAPS +freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 ES + + The client machine found the Access Point and can be + associated with it: + + &prompt.root; ifconfig ath0 ssid freebsdap inet 192.168.0.2 netmask 255.255.255.0 +&prompt.root; ifconfig ath0 + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1 + inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255 + ether 00:11:95:d5:43:62 + media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps) + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100 + + + + WPA Host-based Access Point + + This section will focus on setting up &os; Access Point + using the WPA security protocol. More details regarding WPA + and the configuration of WPA-based wireless clients can be + found in the . + + The hostapd daemon is used to + deal with client authentication and keys management on the + WPA enabled Access Point. + + In the following, all the configuration operations will + be performed on the &os; machine acting as AP. Once the + AP is correctly working, hostapd + should be automatically enabled at boot with the following + line in /etc/rc.conf: + + hostapd_enable="YES" + + Before trying to configure + hostapd, be sure you have done + the basic settings introduced in the . + + + WPA-PSK + + WPA-PSK is intended for small networks where the use + of an backend authentication server is not possible or + desired. + + The configuration is done in the + /etc/hostapd.conf file: + + interface=ath0 +debug=1 +ctrl_interface=/var/run/hostapd +ctrl_interface_group=wheel +ssid=freebsdap +wpa=1 +wpa_passphrase=freebsdmall +wpa_key_mgmt=WPA-PSK +wpa_pairwise=CCMP TKIP + + + + This field indicates the wireless interface used + for the Access Point. + + + + This field sets the level of verbosity during the + execution of hostapd. A + value of 1 represents the minimal + level. + + + + The ctrl_interface field gives + the pathname of the directory used by + hostapd to stores its + domain socket files for the communication with + external programs such as &man.hostapd.cli.8;. The + default value is used here. + + + + The ctrl_interface_group line + sets the group (here, it is the + wheel group) allowed to access + to the control interface files. + + + + This field sets the network name. + + + + The wpa field enables WPA and + specifies which WPA authentication protocol will be + required. A value of 1 configures the + AP for WPA-PSK. + + + + The wpa_passphrase field + contains the ASCII passphrase for the WPA + authentication. + + + Always use strong passwords that are + sufficiently long and made from a rich alphabet so + they will not be guessed and/or attacked. + + + + + The wpa_key_mgmt line refers to + the key management protocol we use. In our case it is + WPA-PSK. + + + + The wpa_pairwise field + indicates the set of accepted encryption algorithms by + the Access Point. Here both TKIP (WPA) and CCMP + (WPA2) ciphers are accepted. CCMP cipher is an + alternative to TKIP and that is strongly preferred + when possible; TKIP should be used solely for stations + incapable of doing CCMP. + + + + The next step is to start + hostapd: + + &prompt.root /etc/rc.d/hostapd forcestart + + &prompt.root; ifconfig ath0 + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100 + + The Access Point is running, the clients can now be + associated with it, see for more details. It is + possible to see the stations associated with the AP using + the ifconfig ath0 list + sta command. + + + + + WEP Host-based Access Point + + It is not recommended to use WEP for setting up an + Access Point since there is no authentication mechanism and + it is easily to be cracked. Some legacy wireless cards only + support WEP as security protocol, these cards will only + allow to set up AP without authentication or encryption or + using the WEP protocol. + + The wireless device can now be put into hostap mode and + configured with the correct SSID and IP address: + + &prompt.root; ifconfig ath0 ssid freebsdap wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g mediaopt hostap \ + inet 192.168.0.1 netmask 255.255.255.0 + + + + The weptxkey means which WEP + key will be used in the transmission. Here we used the + third key (note that the key numbering starts with + 1). This parameter must be specified + to really encrypt the data. + + + + The wepkey means setting the + selected WEP key. It should in the format + index:key, if the index is + not given, key 1 is set. That is + to say we need to set the index if we use keys other + than the first key. + + + + Use again ifconfig to see the status + of the ath0 interface: + + &prompt.root; ifconfig ath0 + ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 + inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255 + inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4 + ether 00:11:95:c3:0d:ac + media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap> + status: associated + ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac + authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100 + + From another wireless machine, it is possible to initiate + a scan to find the AP: + + &prompt.root; ifconfig ath0 up scan +SSID BSSID CHAN RATE S:N INT CAPS +freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS + + The client machine found the Access Point and can be + associated with it using the correct parameters (key, etc.), + see for more + details. + + + Troubleshooting @@ -2773,6 +3072,21 @@ + Address limits + + The number of unique source MAC addresses behind an + interface can limited. Once the limit is reached packets + with unknown source addresses are dropped until an + existing host cache entry expires or is removed. + + The following example sets the maximum number of Ethernet + devices for CustomerA on + vlan100 to 10. + + &prompt.root; ifconfig bridge0 ifmaxaddr vlan100 10 + + + SNMP Monitoring The bridge interface and STP parameters can be monitored