Multiple SSIDs Using Hostapd and FreeBSD

Posted on Wed 06 September 2017 in technology

We All Run Crap On Our Networks

Part of the reason I run my own wireless infrastructure is because I have, over time, obtained a fair number of "smart" doodads that require wireless connectivity. Remember the 2016 Dyn attack? This stuff needs to be on a segregated network with no access to anything valuable on my home network. The IoT devices go on their own SSID, live on a separate subnet, and are firewalled from anything useful. In this post I am going to elide the PF shenanigans that make this possible (the FreeBSD handbook does a better job of this than I ever could), and instead concentrate on the business of running two wireless access points using only one wireless card.

Preliminaries

The idea here is that we have two SSIDs, one called Crystalnet-int and another called Crystalnet-iot. I leave it as an exercise to the reader to deduce which SSID my wayward IoT devices will be connecting to. As always, all commands are issued as root.

Our underlying wireless device shows up when we execute the following command:

# sysctl net.interfaces.wlan
# ath0

We then start adding things to rc.conf. First we define our new virtual wireless interfaces:

wlans_ath0="wlan0 wlan1"

We also tell the system that the virtual interfaces will be operating as access points:

create_args_wlan0="wlanmode hostap bssid"
create_args_wlan1="wlanmode hostap bssid"

The bssid argument above is critical: it ensures that the two new interfaces have different MAC addresses, and cannot be mistaken for each other by connecting clients.

Restart networking:

# service netif restart

Issuing ifconfig now shows two new interfaces: wlan0 and wlan1.

Nothing Is Ever Simple

Next we configure the builtin hostapd(8) module to manage our new virtual wireless interfaces. The underlying binary takes multiple configuration files before daemonizing itself, one each for every interface being managed. My configurations are simple, and taken directly from the handbook:

# vi /etc/hostapd-<iface>.conf
interface=<iface>
debug=1
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel
ssid=<ssid name>
wpa=2
wpa_passphrase=<password>
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP

Unfortunately, the existing hostapd rc script doesn't allow for multiple access points, so I had to do a bit of surgery. The results are here; paste the contents into /etc/rc.d/hostapd, and add the following to /etc/rc.conf:

hostapd_ifaces="wlan0 wlan1"
hostapd_enable="YES"

Upon starting the service...

service hostapd start

... we see two healthy SSIDs:

Wireless Success

And They Lived Happily Ever After

After my pseudo rant last time round, you could be forgiven for thinking that I was being sarcastic with the title of this section. In this case, however, you would be wrong: shortly after finishing setting up my access point, I sent out an email asking if anyone wanted my multi-SSID modification, received confirmation that there was interest, and filed a PR with the patch. I hope to see the change make it into the base system sooner rather than later.

Yes, things are sometimes broken on FreeBSD, but it is worth taking a moment to celebrate how easy the Project makes it for even the most unmotivated among us[1] to help ourselves.

[1] O HAI