Creating an OpenBSD Wireless Access Point

Revision History
Revision 0.22006-8-11gea

have added a different network card that works with 11g

Revision .1 2006-08-06 gea

Inital notes and starting to clean up how to set up this wireless gateway OPENBSD 3.9 Some key points to remember are noted in this howto which i think people will find useful


Table of Contents

Prerequisites
Setting up the Router
Seting up the network interfaces
Setting up the DHCPD server
Setting up the Packet Filter
Changing Network cards
A. The acutual files
dhcpd.conf

Prerequisites

This document is based on OPENBSD 4.2

NOTE THIS DOCUMENT IS NOT CORRECT. YOU MAY GET A FEW IDEAS FROM IT BUT I NEED TO CLEAN THIS UP. dec,13,2007

Setting up the Router

The Prelimaries

Go into /etc and edit sysctl.conf. Find and uncomment the line net.inet.ip.forwarding=1. This will allow your computer to forward packets.

The next step is to edit the rc.conf [1]. Your rc.conf file should activate at least the following

  • dhcpd_flags = ""

  • pf=Yes

Caution

Under no circumstances should you enable routed. It will lead to arcane errors like: punt RTM_ADD without gateway which is some error message from so way back that google can not find any good explanation

Seting up the network interfaces

Setting up the DHCPD server

include dhcpd.conf and dpcpd.interfaces

Setting up the Packet Filter

See pf.conf for basic rules

have set up hostname.rtw0 (hostname.WirelessInterface

Now adding DHCP server and add it to dhcpd

DHCP SERVER added DHCP IS NOT WORKING (DHCP SERVER WORKING, SEE NEW CONFIG)

Still working on hostname.rtw0 HOST NAME WORKS BUT DOESNT MATCH WHAT IS GOING ON WITH MAN PAGES

-----------------------------

start dhcpd server

use dhcpd.conf and dhcpd.interaface and need to turn on dhcpd in rc.conf LOOKS LIKE I NEEDED TO DEFIND dhcpd= rtw0 in rc.conf

at this point I can log in via wireless

but the laptop computer coming in on 192.168.3.2 can not access anything else from the laptop i can ping both the wirless and the network card on same computer but can not ping the main internal network card

HAD AN EPIHANY. I JUST ENDED UP HACING OPENBSD PF GOING THOUGHT A LINUX IP TALBES SET I wonder if that is the problem When I Look at the IP TABLES ON THELONIOUS I WONDER IF I SCREWING THNGS UP WHEN I TAKE ALL PACKED FROM 192.168.1.10 send them out under a certin address, ie Im not doing NAT

I just realized the same problem is also occuring when I try to connect the pooky.mung.from the web site. the packets dont get to pooky.mung.net Ie the issues that i relied is that when I am at my laptop, I couldnt get my laptop to show pooky.mung.net oh wait a sec. pooky.mung.net at this point just shows mung.net

###Need to reboot DHCPD to work, by putting it in rc.local and just dhcpd rtw0 dchpd doesnt seem to be finding it the first time right now, the problem is that once I login, it freezes, I suspects its PF THIS TURNS OUT TO BE WRONG See OPENBSD FAQ:

8.22 - Reverse DNS - or - Why is it taking so long for me to log in? Many new users to OpenBSD experience a two minute login delay when using services such as ssh, ftp, or telnet. This can also be experienced when using a proxy, such as ftp-proxy, or when sending mail out from a workstation through sendmail. This is almost always due to a reverse-DNS problem. DNS is Domain Name Services, the system the Internet uses to convert a name, such as "www.openbsd.org" into a numeric IP address. Another task of DNS is the ability to take a numeric address and convert it back to a "name", this is "Reverse DNS". In order to provide better logging, OpenBSD performs a reverse-DNS lookup on any machine that attaches to it in many different ways, including ssh, ftp, telnet, sendmail or ftp-proxy. Unfortunately, in some cases, the machine that is making the connection does not have a proper reverse DNS entry. An example of this situation: A user sets up an OpenBSD box as a firewall and gateway to their internal home network, mapping all their internal computers to one external IP using NAT. They may also use it as an outbound mail relay. They follow the installation guidelines, and are very happy with the results, except for one thing -- every time they try to attach to the box in any way, they end up with a two minute delay before things happen. What is going on: From a workstation behind the NAT of the gateway with an unregistered IP address of 192.168.1.35, the user uses ssh to access the gateway system. The ssh client prompts for username and password, and sends them to the gateway box. The gateway then tries to figure out who is trying to log in by performing a reverse DNS lookup of 192.168.1.35. The problem is 192.168.0.0 addresses are for private use, so a properly configured DNS server outside your network knows it should have no information about those addresses. Some will quickly return an error message, in these cases, OpenBSD will assume there is no more information to be gained, and it will quickly give up and just admit the user. Other DNS servers will not return ANY response. In this case you will find yourself waiting for the OpenBSD name resolver to time out, which takes about two minutes before the login will be permitted to continue. In the case of ftp-proxy, some ftp clients will timeout before the reverse DNS query times out, leading to the impression that ftp-proxy isn't working. This can be quite annoying. Fortunately, it is an easy thing to fix. Fix, using /etc/hosts: The simplest fix is to populate your /etc/hosts file with all the workstations you have in your internal network, and ensure that your /etc/resolv.conf file contains the line lookup file bind which ensures that the resolver knows to start with the /etc/hosts file, and failing that, to use the DNS servers specified by the "nameserver" lines in your /etc/resolv.conf file. Your /etc/hosts file will look something like this: ::1 localhost.in.example.org localhost 127.0.0.1 localhost.in.example.org localhost 192.168.1.1 gw.in.example.org gw 192.168.1.20 scrappy.in.example.org scrappy 192.168.1.35 shadow.in.example.org shadow

NOTE MY GATE ON OPEBSD POOKY SHOULD IN FACT BE 192.168.1.1 not 192.168.1.10 TRYING TO TURN ON ROUTED in rc.conf

IT WORKS IT WORKS AT THIS POINT I HAVE A WORKING WIRLESS GATEWAY OPENBSD SERVER!!!!! THESE FILES LOADED todya at ABOUT 11:24 PM AUGUST 5 2006 WORK!!! DONT RUN ROUTED, YOU WILL GET A punt_RTM LOSING WITHOUT GATEWAY and lose aility to route "punt RTM_ADD without gateway" causes you lose routing table, ie if you rund routed TOmorrow SEEI FYOU CAN RENAME INT 192.168.3.1 but sitll have everyting else work? TODAY, COULDNT SLEEP THE KEY WAS TO UNDERSTAND ROUTING IN THIS CASE, I HAD 192.168.3.2 which is the laptop. and I keep putting in the gateway of the other network card (not the access point wireess card) so I would put down that the laptops gateway was 192.168.1.10 (pooky IP address when it is behind the main gateway) and since router jus directs to the next hop, it could not get to it so I had to say that the laptops wireless nic had to hop to the wireless nic in the openbsd server ie, 192.168.3.1 ie OPENBSD BOX already has its gateway defined by "mygate" the problems was I was defining the correct gateway for the laptop MORE IMPORTANTLY, gateway can only be one hop away so when defiing the dhpd server I was gving the network card a gateway what was more than hop away IT LOOKS LIKE ALL I HAVE TO CHANGE IS THE EXT_INT AND MAKE WORK AS A MAIN SERVER

Changing Network cards

When chaning network cards need to remember that 1. need to change rc.local.conf since need to restart DHCPD with correct interface 2. Need to change pf.conf since need to five correct interface rules is define the int and ext if devices correctly

A.  The acutual files

I have always enjoyed seeing actuall configuration files so i can see what someone is talking about so here are all the files I usesd

dhcpd.conf

dhcpd.conf


#:	$OpenBSD: dhcpd.conf,v 1.1 1998/08/19 04:25:45 form Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:		192.168.1.0/255.255.255.0
# Domain name:		my.domain
# Name servers:		192.168.1.3 and 192.168.1.5
# Default router:	192.168.1.1
# Addresses:		192.168.1.32 - 192.168.1.127
#

option  domain-name "mung.net";
option  domain-name-servers 206.26.36.34, 198.107.0.14;

	subnet 192.168.3.0 netmask 255.255.255.0 {
		option subnet-mask 255.255.255.0;
		option  domain-name-servers 206.26.36.34, 198.107.0.14;
		option routers 192.168.3.1;
		range 192.168.3.2 192.168.3.127;
	}

hostname.rtw0


up media autoselect mediaopt hostap mode 11b chan 6 nwid unwiredbsd -nwkey

inet 192.168.3.1

hostname.vr0


inet 192.168.1.10 255.255.255.0 NONE 

mygate192.168.1.1

pf.conf


  #	$OpenBSD: pf.conf,v 1.31 2006/01/30 12:20:31 camield Exp $
#
# See pf.conf(5) and /usr/share/pf for syntax and examples.
# Remember to set net.inet.ip.forwarding=1 and/or net.inet6.ip6.forwarding=1
# in /etc/sysctl.conf if packets are to be forwarded between interfaces.

# --- MACRO section
ext_if = vr0
int_if = rtw0
localnet = $int_if:network
# --- OPTIONS section
set skip on lo0
set skip on $int_if
#set skip on $ext_if


# --- TRANSLATION (NAT/RDR) section
nat on $ext_if from $localnet to any -> ($ext_if)
nat pass on $ext_if inet from $int_if to any -> $ext_if

# --- FILTER section


# --- EXTERNAL INTERFACE RULES
pass out quick on $ext_if inet all keep state

# --- default policy
#block all


rc.local


#	$OpenBSD: rc.local,v 1.38 2005/03/29 21:41:59 uwe Exp $
# site-specific startup actions, daemons, and other things which
# can be done AFTER your system goes into securemode.  For actions
# which should be done BEFORE your system has gone into securemode
# please see /etc/rc.securelevel

# site-specific startup actions, daemons which can be run
# Add your local startup actions to this file

echo -n 'starting local daemons:'

echo "restart DHCPD"
dhcpd rtw0


if [ -x /usr/local/sbin/cfsd ]; then
	if ps auxc | grep -q '^ *root .* mountd$'; then
		echo -n ' cfsd';	/usr/local/sbin/cfsd >/dev/null 2> & 1
		mount -o port=3049,nfsv2,intr localhost:/null /crypt
	else
		echo -n ' cfsd (failed, no mountd running)'
	fi
fi

#if [ -x /usr/local/sbin/snmpd ]; then
#	echo -n ' snmpd';	/usr/local/sbin/snmpd
#fi

echo '.'

# Netatalk stuff
#if [ -f /etc/netatalk/rc.atalk ]; then
#	. /etc/netatalk/rc.atalk
#fi


rc.conf


#!/bin/sh -
#
#	$OpenBSD: rc.conf,v 1.109 2005/11/16 09:19:36 camield Exp $

# set these to "NO" to turn them off.  otherwise, they're used as flags
routed_flags=NO		# for normal use: "-q"
mrouted_flags=NO	# for normal use: "", if activated
			# be sure to enable multicast_router below.
ospfd_flags=NO		# for normal use: ""
bgpd_flags=NO		# for normal use: ""
rarpd_flags=NO		# for normal use: "-a"
bootparamd_flags=NO	# for normal use: ""
rbootd_flags=NO		# for normal use: ""
sshd_flags=""		# for normal use: ""
named_flags=NO		# for normal use: ""
rdate_flags=NO		# for normal use: [RFC868-host] or [-n RFC2030-host]
timed_flags=NO		# for normal use: ""
ntpd_flags=NO		# for normal use: ""
isakmpd_flags=NO	# for normal use: ""
mopd_flags=NO		# for normal use: "-a"
apmd_flags=NO		# for normal use: ""
acpid_flags=NO		# for normal use: ""
#CHANGE
#dhcpd_flags=NO		# for normal use: ""
dhcpd_flags=""		# for normal use: ""
rtadvd_flags=NO		# for normal use: list of interfaces
			# be sure to set net.inet6.ip6.forwarding=1
route6d_flags=NO	# for normal use: ""
			# be sure to set net.inet6.ip6.forwarding=1
rtsold_flags=NO		# for normal use: interface
			# be sure to set net.inet6.ip6.forwarding=0
			# be sure to set net.inet6.ip6.accept_rtadv=1
lpd_flags=NO		# for normal use: "" (or "-l" for debugging)
sensorsd_flags=NO	# for normal use: ""
hotplugd_flags=NO	# for normal use: ""
watchdogd_flags=NO	# for normal use: ""
ftpproxy_flags=NO	# for normal use: ""

# use -u to disable chroot, see httpd(8)
#CHANGE
#httpd_flags=NO		# for normal use: "" (or "-DSSL" after reading ssl(8))
httpd_flags=""		# for normal use: "" (or "-DSSL" after reading ssl(8))

# For normal use: "-L sm-mta -bd -q30m", and note there is a cron job
sendmail_flags="-L sm-mta -C/etc/mail/localhost.cf -bd -q30m"
spamd_flags=NO		# for normal use: "" and see spamd-setup(8)
spamd_grey=NO		# use spamd greylisting if YES
spamlogd_flags=""	# use eg. "-i interface" and see spamlogd(8)

# Set to NO if ftpd is running out of inetd
ftpd_flags=NO		# for non-inetd use: "-D"

# Set to NO if identd is running out of inetd
identd_flags=NO		# for non-inetd use: "-b -elo"

# On some architectures, you must also disable console getty in /etc/ttys
xdm_flags=NO		# for normal use: ""

# For enabling console mouse support (i386 alpha amd64)
wsmoused_flags=NO	# for ps/2 or usb mice: "", serial: "-p /dev/cua00"

# set the following to "YES" to turn them on
rwhod=NO
nfs_server=NO		# see sysctl.conf for nfs client configuration
lockd=NO
amd=NO
##CHANGE
#pf=NO			# Packet filter / NAT
pf=YES			# Packet filter / NAT
portmap=NO		# Note: inetd(8) rpc services need portmap too
inetd=YES		# almost always needed
check_quotas=YES	# NO may be desirable in some YP environments

krb5_master_kdc=NO	# KerberosV master KDC. Run 'info heimdal' for help.
krb5_slave_kdc=NO	# KerberosV slave KDC.
afs=NO			# mount and run afs

# Multicast routing configuration
# Please look at netstart(8) for a detailed description if you change these
multicast_host=NO	# Route all multicast packets to a single interface
multicast_router=NO	# A multicast routing daemon will be run, e.g. mrouted

# miscellaneous other flags
# only used if the appropriate server is marked YES above
savecore_flags=			# "-z" to compress
ypserv_flags=			# E.g. -1 for YP v1, -d for DNS etc
yppasswdd_flags=NO		# "-d /etc/yp" if passwd files are in /etc/yp
nfsd_flags="-tun 4"		# Crank the 4 for a busy NFS fileserver
amd_dir=/tmp_mnt		# AMD's mount directory
amd_master=/etc/amd/master	# AMD 'master' map
syslogd_flags=			# add more flags, ie. "-u -a /chroot/dev/log"
pf_rules=/etc/pf.conf		# Packet filter rules file
pflogd_flags=			# add more flags, ie. "-s 256"
afsd_flags=			# Flags passed to afsd
shlib_dirs=			# extra directories for ldconfig, separated
				# by space

local_rcconf="/etc/rc.conf.local"

[ -f ${local_rcconf} ] & & . ${local_rcconf} # Do not edit this line

sysctl.conf


#	$OpenBSD: sysctl.conf,v 1.40 2006/01/28 18:22:43 brad Exp $
#
# This file contains a list of sysctl options the user wants set at
# boot time.  See sysctl(3) and sysctl(8) for more information on
# the many available variables.
#
#CHANGE
#net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of IPv4 packets
net.inet.ip.forwarding=1	# 1=Permit forwarding (routing) of IPv4 packets
#net.inet.ip.mforwarding=1	# 1=Permit forwarding (routing) of IPv4 multicast packets
#net.inet6.ip6.forwarding=1	# 1=Permit forwarding (routing) of IPv6 packets
#net.inet6.ip6.accept_rtadv=1	# 1=Permit IPv6 autoconf (forwarding must be 0)
#net.inet.tcp.rfc1323=0		# 0=Disable TCP RFC1323 extensions (for if tcp is slow)
#net.inet.tcp.rfc3390=0		# 0=Disable RFC3390 for TCP window increasing
#net.inet.esp.enable=0		# 0=Disable the ESP IPsec protocol
#net.inet.ah.enable=0		# 0=Disable the AH IPsec protocol
#net.inet.esp.udpencap=0	# 0=Disable ESP-in-UDP encapsulation
#net.inet.ipcomp.enable=1	# 1=Enable the IPCOMP protocol
#net.inet.etherip.allow=1	# 1=Enable the Ethernet-over-IP protocol
#net.inet.tcp.ecn=1		# 1=Enable the TCP ECN extension
#ddb.panic=0			# 0=Do not drop into ddb on a kernel panic
#ddb.console=1			# 1=Permit entry of ddb from the console
#fs.posix.setuid=0		# 0=Traditional BSD chown() semantics
#vm.swapencrypt.enable=0	# 0=Do not encrypt pages that go to swap
#vfs.nfs.iothreads=4		# number of nfsio kernel threads
#net.inet.ip.mtudisc=0		# 0=disable tcp mtu discovery
#kern.usercrypto=0		# 0=disable userland use of /dev/crypto
#kern.splassert=2		# 2=enable with verbose error messages
machdep.allowaperture=2		# See xf86(4)
#machdep.apmwarn=10		# battery % when apm status messages enabled
#machdep.apmhalt=1		# 1=powerdown hack, try if halt -p doesn't work
#machdep.kbdreset=1		# permit console CTRL-ALT-DEL to do a nice halt
#machdep.userldt=1		# allow userland programs to play with ldt,
				# required by some ports
#kern.emul.aout=1		# enable running dynamic OpenBSD a.out bins
#kern.emul.bsdos=1		# enable running BSD/OS binaries
#kern.emul.freebsd=1		# enable running FreeBSD binaries
#kern.emul.ibcs2=1		# enable running iBCS2 binaries
#kern.emul.linux=1		# enable running Linux binaries
#kern.emul.svr4=1		# enable running SVR4 binaries



[1] I know, I know, you shouldnt touch this but you can make all the changes to rc.conf.local