A FreeBSD powered Sun Blade 100 is now my Wireless Access Point using an Atheros-based PCI card for handling the 802.11b/g traffic. (I'll post config. details soon.)

Why do it?

My main reasons for deciding on using this instead of DD-WRT on a hardware access point include:

• Maintain an IDS (Snort)
• Perform traffic shaping (QoS) using ALTQ
• Structure firewall rules to my preferences with OpenBSD's pf (due topersonal preference over iptables)
• Ensure proper local area IPv6 deployment
• Easily set up MRTG (or some other traffic grapher) for LAN
• Because Sun box is running almost constantly either way, may as well give it a job...

How do you do it?

Situation:

• I have cable internet and I'm assigned 1 IP address via DHCP.
• I have an 10/100Mbps Ethernet card (rl0) and an Atheros wireless card (ath0)
• I'm interested in using vanilla WPA -- not open, not WEP, not WPA2, no RADIUS, etc.

As root, I do the following:

# dhclient rl0
# ifconfig ath0 ssid mywifi
# ifconfig ath0 inet 10.0.0.1 mediaopt hostap

You can consult the FreeBSD Handbook on how to set up Network Address Translation. This can be done by a number of methods. Personally, I choose to recompile my kernel to include support for OpenBSD's Packet Filter (PF) and use PF for firewalling and NAT. The handbook covers all this very well, so I'm not going to re-invent the wheel.

Next you need to edit the hostapd.conf and dhcpd.conf files. hostapd.conf configures hostapd (obviously), which lets clients associate with your system -- it's the server equivalent of wpa_supplicant. dhcpd.conf is the configuration for the ISC DHCP daemon, so that clients can get IPs automatically -- it's not necessary, but is nicer than having to manually enter IPs all the time.

/etc/hostapd.conf:

interface=ath0
driver=bsd

logger_syslog=-1
logger_syslog_level=0
logger_stdout=-1
logger_stdout_level=0
debug=3
dump_file=/tmp/hostapd.dump
ctrl_interface=/var/run/hostapd
ctrl_interface_group=wheel

#### IEEE 802.11 related config ####
ssid=mywifi
macaddr_acl=0
auth_algs=1

#### IEEE 802.1X related config ####
ieee8021x=0

#### WPA/IEEE 802.11i config #####
wpa=1
wpa_passphrase=MyBigSecretPassphrase
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP TKIP

/usr/local/etc/dhcpd.conf:

ddns-update-style none;
always-broadcast on;
default-lease-time 7200;
max-lease-time 7200;
authoritative;

subnet 10.0.0.1 netmask 255.255.255.0 {
	range 10.0.0.100 10.0.0.199;
	option broadcast-address 10.0.0.255;
	option subnet-mask 255.255.255.0;
	option routers 10.0.0.1;
	option domain-name-servers 10.0.0.1;
	option domain-name "localnet.localdomain";
}

At this point you should be configured well. Now you just need to start the following daemons:

• named - to provide DNS services
• dhcpd - to provide DHCP services
• hostapd - to provide wireless services

Update 21 March 2007: I had a how-to on this published at HowtoForge.