We All Run Crap On Our Networks
Part of the reason I run my own wireless infrastructure is because I have, over time, obtained a fair number of "smart" doodads that require wireless connectivity. Remember the 2016 Dyn attack? This stuff needs to be on a segregated network with no access to anything valuable on my home network. The IoT devices go on their own SSID, live on a separate subnet, and are firewalled from anything useful. In this post I am going to elide the PF shenanigans that make this possible (the FreeBSD handbook does a better job of this than I ever could), and instead concentrate on the business of running two wireless access points using only one wireless card.
The idea here is that we have two SSIDs, one called
Crystalnet-int and another called
Crystalnet-iot. I leave it as an exercise to the reader to deduce which SSID my wayward IoT devices will be connecting to. As always, all commands are issued as root.
Our underlying wireless device shows up when we execute the following command:
# sysctl net.interfaces.wlan # ath0
We then start adding things to
rc.conf. First we define our new virtual wireless interfaces:
We also tell the system that the virtual interfaces will be operating as access points:
create_args_wlan0="wlanmode hostap bssid" create_args_wlan1="wlanmode hostap bssid"
bssid argument above is critical: it ensures that the two new interfaces have different MAC addresses, and cannot be mistaken for each other by connecting clients.
# service netif restart
ifconfig now shows two new interfaces:
Nothing Is Ever Simple
Next we configure the builtin
hostapd(8) module to manage our new virtual wireless interfaces. The underlying binary takes multiple configuration files before daemonizing itself, one each for every interface being managed. My configurations are simple, and taken directly from the handbook:
# vi /etc/hostapd-<iface>.conf interface=<iface> debug=1 ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=<ssid name> wpa=2 wpa_passphrase=<password> wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP
Unfortunately, the existing
hostapd rc script doesn't allow for multiple access points, so I had to do a bit of surgery. The results are here; paste the contents into
/etc/rc.d/hostapd, and add the following to
hostapd_ifaces="wlan0 wlan1" hostapd_enable="YES"
Upon starting the service...
service hostapd start
... we see two healthy SSIDs:
And They Lived Happily Ever After
After my pseudo rant last time round, you could be forgiven for thinking that I was being sarcastic with the title of this section. In this case, however, you would be wrong: shortly after finishing setting up my access point, I sent out an email asking if anyone wanted my multi-SSID modification, received confirmation that there was interest, and filed a PR with the patch. I hope to see the change make it into the base system sooner rather than later.
Yes, things are sometimes broken on FreeBSD, but it is worth taking a moment to celebrate how easy the Project makes it for even the most unmotivated among us to help ourselves.
 O HAI