FreeBSD: Wired and Wireless router with transparent Bridge

Setting up a router with wired and wireless interfaces (WPA2 – TKIP/AES auth) and transparent bridge, turning it the same lan.

I’m using FreeBSD 8.2 on tests.

Scheme:

ADSL <—> FreeBSD <—> Lan (wired/wireless)

Kernel config:

device ral # Chipset Ralink – RT2560, RT2561S, RT2661
device ralfw
device wlan  # 802.11 support
device wlan_ccmp # 802.11 CCMP support
device wlan_xauth # 802.11 WPA support
device wlan_amrr # Adaptive Multi-Rate Retry
device firmware # firmware assist module
device bridge

Interfaces settings (/etc/rc.conf):

# Ethernet
ifconfig_re0=”DHCP media 100BaseTX mediaopt full-duplex”
ifconfig_rl0=”ether f6:4c:a3:09:d9:e6 media 100BaseTX mediaopt full-duplex”
ifconfig_ral0=”ether f6:4c:a3:09:d9:e6″

# Wlan
wlans_ral0=”wlan0″
create_args_wlan0=”wlanmode hostap”
ifconfig_wlan0=”ether f6:4c:a3:09:d9:e6 protmode rtscts fragthreshold 2346 bintval 1000 dtimperiod 15 apbridge mode 11g ssid BLOCKED channel 6″

# Bridge (with Spaning Tree Protocol)
cloned_interfaces=”bridge0″
ifconfig_bridge0=”ether f6:4c:a3:09:d9:e6 addm rl0 addm wlan0 stp rl0 stp wlan0″
ifconfig_bridge0_alias0=”inet 192.168.2.1 netmask 255.255.255.0″

# Hostapd – WPA/WPA2 authenticator for WiFi lan
hostapd_enable=”YES”

# Gateway
gateway_enable=”YES”

NOTE: I used the same MAC on all interfaces.

WPA/WPA2 auth settings (/etc/hostapd.conf):

interface=wlan0
driver=bsd
logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=BLOCKED
macaddr_acl=0
auth_algs=1
ieee8021x=0
wpa=2 # 1 – WPA / 2 – WPA2
wpa_passphrase=otengio1234
wpa_key_mgmt=WPA-PSK
## TKIP or AES
wpa_pairwise=CCMP TKIP

System settings (/etc/sysctl.conf):

net.link.bridge.pfil_bridge=1 # Packet filter on the bridge interface
net.link.bridge.log_stp=1 # Log STP state changes
net.link.bridge.pfil_onlyip=0 # Only pass IP packets when pfil is enabled
net.link.bridge.pfil_local_phys=0 # Packet filter on the physical interface for locally destined packets
net.link.bridge.pfil_member=1 # Packet filter on the member interface

Now you can set the firewall rules on bridge interface, and BE HAPPY!