The goal here is to setup the bits of the router needed for everyday usage.
As mentioned on the previous post, this setup is based on
an APU2d4, with three ethernet interfaces:
igb0 for egress/wan,
local devices and,
igb2 as a management interface.
The current state is that the machine can setup the connection to eXO
and can correctly accept the IPv6 and IPv4 routes and delegations, and is
ping6 devices on the internet.
Creating network bridges on FreeBSD is pretty straightforward with
man 8 ifconfig and
man 5 rc.conf being the magical man pages.
To do it once:
# Create the bridge with a deterministic name ifconfig bridge create name lair # Add the necessary interfaces ifconfig lair addm igb1 addm wlan0 inet6 auto_linklocal
To do it permanently, add in
cloned_interfaces="bridge0" # Have a deterministic name ifconfig_bridge0_name="lair" # Add the necessary interfaces ifconfig_lair="addm igb1 addm wlan0" # While at it, ensure we have a link local address ifconfig_lair_ipv6="auto_linklocal"
This is done with
hostapd, which is also in the base system.
The magical man pages for this are
man 8 hostapd and
man 5 hostapd.conf
as well as
man 5 rc.conf.
First of all, we setup things in
# Setup the wireless interface wlans_ath0="wlan0" ifconfig_wlan0="HOSTAP" # Respect local regulations and all that -- ES is the country code create_args_wlan0="wlanmode hostap country ES" # Enable the access point daemon hostapd_enable="YES"
Now, we create
/etc/hostapd-wlan0.conf as follows:
interface=wlan0 debug=0 ctrl_interface=/var/run/hostapd ctrl_interface_group=wheel ssid=eXO-wlan wpa=2 wpa_passphrase=WirelessPassword wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP
Now most of the things are in place in order to forward traffic for other clients in the local network.
A very important step that is missing is becoming a gateway!
man 5 rc.conf is a magical man page.
Add following to
# Act as gateway gateway_enable="YES" ipv6_gateway_enable="YES" # Setup dependent: Accept Route Advertisements even with # IPv6 forwarding enabled. # In my case, this is not needed as DHCP6 is used for prefix delegation. # The value should be the interface where your ISP will be doing RA. #ipv6_cpe_wanif="exoppp"
This is effective after a reboot, using
sysctl and so on is possible, but…
This is also done with the base system, in this case
man 5 rtadvd.conf,
man 5 rc.conf and
man 8 rtadvd are the magic man pages.
It further follows the pattern, we setup
And the software in
# rtadvd will try to get the data from the kernel's routing table # TODO: use own DNS servers, this uses quad9. lair:\ :mininterval#5:\ :maxinterval#10:\ :rdnss="2620:fe::fe,2620:fe::9"\ :mtu#auto:\ :rltime#60:
And then start it with
service rtadvd start
At this point we also modify
/usr/local/etc/dhcp6c.conf to assign a
/64 to the
lair interface as opposed to the
See previous post for the base config.
Now, when another system connects to the
lair bridge (that includes the
access point on
wlan0), it will automagically receive the
information and derive its addresses as necessary (temporary, non-temporary,
random, it’s all black magic).
BUT! Keep on reading, this is important!
Up until now only our router was accessible from the internet without a firewall, but it also had no services running (besides SSH with Public Key based authentication); with the previous step though, besides providing internet to the network, we provide our internal network to the internet :-).
Remember that up until now
My firewall rules are non-trivial and keep evolving, so they won’t be replicated here, instead there will be some cdist type with them soon.
Needless to say,
man pf and
man pfctl are the magical
man pages and block all the things.
TODO: publish the cdist types and link them here
dhcpdto hand out local IPv4s