PERFORCE change 131369 for review
Gabor Kovesdan
gabor at FreeBSD.org
Fri Dec 21 05:55:27 PST 2007
http://perforce.freebsd.org/chv.cgi?CH=131369
Change 131369 by gabor at gabor_server on 2007/12/21 13:55:19
IFC
Affected files ...
.. //depot/projects/docproj_hu/books/handbook/advanced-networking/chapter.sgml#3 integrate
Differences ...
==== //depot/projects/docproj_hu/books/handbook/advanced-networking/chapter.sgml#3 (text+ko) ====
@@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
- $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.400 2007/09/12 11:47:33 murray Exp $
+ $FreeBSD: doc/en_US.ISO8859-1/books/handbook/advanced-networking/chapter.sgml,v 1.404 2007/12/20 22:21:44 gabor Exp $
-->
<chapter id="advanced-networking">
@@ -901,8 +901,8 @@
<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput>
SSID BSSID CHAN RATE S:N INT CAPS
-dlinkap 00:13:46:49:41:76 6 54M 29:0 100 EPS WPA WME
-freebsdap 00:11:95:c3:0d:ac 1 54M 22:0 100 EPS WPA</screen>
+dlinkap 00:13:46:49:41:76 6 54M 29:3 100 EPS WPA WME
+freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS WPA</screen>
<note>
<para>You must mark the interface <option>up</option>
@@ -1143,7 +1143,7 @@
parameters you have set up for selecting an access
point:</para>
- <programlisting>ifconfig_ath0="inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>your_ssid_here</replaceable>"</programlisting>
+ <programlisting>ifconfig_ath0="ssid <replaceable>your_ssid_here</replaceable> inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable>"</programlisting>
</sect5>
<sect4 id="network-wireless-wpa">
@@ -1635,8 +1635,8 @@
<para>WEP can be set up with
<command>ifconfig</command>:</para>
- <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid my_net \
- wepmode on weptxkey 3 wepkey 3:0x3456789012</userinput></screen>
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012 \
+ inet <replaceable>192.168.1.100</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput></screen>
<itemizedlist>
<listitem>
@@ -1698,7 +1698,7 @@
<para>On the box <hostid>A</hostid>:</para>
- <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc</userinput>
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
@@ -1717,14 +1717,14 @@
<screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput>
SSID BSSID CHAN RATE S:N INT CAPS
- freebsdap 02:11:95:c3:0d:ac 2 54M 19:0 100 IS</screen>
+ freebsdap 02:11:95:c3:0d:ac 2 54M 19:3 100 IS</screen>
<para>The <literal>I</literal> in the output confirms the
machine <hostid>A</hostid> is in ad-hoc mode. We just have to
configure <hostid>B</hostid> with a different IP
address:</para>
- <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc</userinput>
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mediaopt adhoc inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
@@ -1739,6 +1739,305 @@
ready to exchange informations.</para>
</sect2>
+ <sect2 id="network-wireless-ap">
+ <title>&os; Host Access Points</title>
+
+ <para>&os; can act as an Access Point (AP) which eliminates the
+ need to buy a hardware AP or run an ad-hoc network. This can be
+ particularly useful when your &os; machine is acting as a
+ gateway to another network (e.g., the Internet).</para>
+
+ <sect3 id="network-wireless-ap-basic">
+ <title>Basic Settings</title>
+
+ <para>Before configuring your &os; machine as an AP, the
+ kernel must be configured with the appropriate wireless
+ networking support for your wireless card. You also have to
+ add the support for the security protocols you intend to
+ use. For more details, see <xref
+ linkend="network-wireless-basic">.</para>
+
+ <note>
+ <para>The use of the NDIS driver wrapper and the &windows;
+ drivers do not allow currently the AP operation. Only
+ native &os; wireless drivers support AP mode.</para>
+ </note>
+
+ <para>Once the wireless networking support is loaded, you can
+ check if your wireless device supports the host-based access
+ point mode (also know as hostap mode):</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> list caps</userinput>
+ath0=783ed0f<WEP,TKIP,AES,AES_CCM,IBSS,HOSTAP,AHDEMO,TXPMGT,SHSLOT,SHPREAMBLE,MONITOR,TKIPMIC,WPA1,WPA2,BURST,WME></screen>
+
+ <para>This output displays the card capabilities; the
+ <literal>HOSTAP</literal> word confirms this wireless card
+ can act as an Access Point. Various supported ciphers are
+ also mentioned: WEP, TKIP, WPA2, etc., these informations
+ are important to know what security protocols could be set
+ on the Access Point.</para>
+
+ <para>The wireless device can now be put into hostap mode and
+ configured with the correct SSID and IP address:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> mode 11g mediaopt hostap</userinput> inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></screen>
+
+ <para>Use again <command>ifconfig</command> to see the status
+ of the <devicename>ath0</devicename> interface:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+ ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+ inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
+ inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
+ ether 00:11:95:c3:0d:ac
+ media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
+ status: associated
+ ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+ authmode OPEN privacy OFF txpowmax 38 bmiss 7 protmode CTS burst dtimperiod 1 bintval 100</screen>
+
+ <para>The <literal>hostap</literal> parameter indicates the
+ interface is running in the host-based access point
+ mode.</para>
+
+ <para>The interface configuration can be done automatically at
+ boot time by adding the following line to
+ <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>ifconfig_ath0="ssid <replaceable>freebsdap</replaceable> mode 11g mediaopt hostap inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable>"</programlisting>
+ </sect3>
+
+ <sect3>
+ <title>Host-based Access Point without Authentication or
+ Encryption</title>
+
+ <para>Although it is not recommended to run an AP without any
+ authentication or encryption, this is a simple way to check
+ if your AP is working. This configuration is also important
+ for debugging client issues.</para>
+
+ <para>Once the AP configured as previously shown, it is
+ possible from another wireless machine to initiate a scan to
+ find the AP:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput>
+SSID BSSID CHAN RATE S:N INT CAPS
+freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 ES</screen>
+
+ <para>The client machine found the Access Point and can be
+ associated with it:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> inet <replaceable>192.168.0.2</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput>
+&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+ ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+ inet6 fe80::211:95ff:fed5:4362%ath0 prefixlen 64 scopeid 0x1
+ inet 192.168.0.2 netmask 0xffffff00 broadcast 192.168.0.255
+ ether 00:11:95:d5:43:62
+ media: IEEE 802.11 Wireless Ethernet autoselect (OFDM/54Mbps)
+ status: associated
+ ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+ authmode OPEN privacy OFF txpowmax 36 protmode CTS bintval 100</screen>
+ </sect3>
+
+ <sect3>
+ <title>WPA Host-based Access Point</title>
+
+ <para>This section will focus on setting up &os; Access Point
+ using the WPA security protocol. More details regarding WPA
+ and the configuration of WPA-based wireless clients can be
+ found in the <xref linkend="network-wireless-wpa">.</para>
+
+ <para>The <application>hostapd</application> daemon is used to
+ deal with client authentication and keys management on the
+ WPA enabled Access Point.</para>
+
+ <para>In the following, all the configuration operations will
+ be performed on the &os; machine acting as AP. Once the
+ AP is correctly working, <application>hostapd</application>
+ should be automatically enabled at boot with the following
+ line in <filename>/etc/rc.conf</filename>:</para>
+
+ <programlisting>hostapd_enable="YES"</programlisting>
+
+ <para>Before trying to configure
+ <application>hostapd</application>, be sure you have done
+ the basic settings introduced in the <xref
+ linkend="network-wireless-ap-basic">.</para>
+
+ <sect4>
+ <title>WPA-PSK</title>
+
+ <para>WPA-PSK is intended for small networks where the use
+ of an backend authentication server is not possible or
+ desired.</para>
+
+ <para>The configuration is done in the
+ <filename>/etc/hostapd.conf</filename> file:</para>
+
+ <programlisting>interface=ath0 <co id="co-ap-wpapsk-iface">
+debug=1 <co id="co-ap-wpapsk-dbug">
+ctrl_interface=/var/run/hostapd <co id="co-ap-wpapsk-ciface">
+ctrl_interface_group=wheel <co id="co-ap-wpapsk-cifacegrp">
+ssid=freebsdap <co id="co-ap-wpapsk-ssid">
+wpa=1 <co id="co-ap-wpapsk-wpa">
+wpa_passphrase=freebsdmall <co id="co-ap-wpapsk-pass">
+wpa_key_mgmt=WPA-PSK <co id="co-ap-wpapsk-kmgmt">
+wpa_pairwise=CCMP TKIP <co id="co-ap-wpapsk-pwise"></programlisting>
+
+ <calloutlist>
+ <callout arearefs="co-ap-wpapsk-iface">
+ <para>This field indicates the wireless interface used
+ for the Access Point.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-dbug">
+ <para>This field sets the level of verbosity during the
+ execution of <application>hostapd</application>. A
+ value of <literal>1</literal> represents the minimal
+ level.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-ciface">
+ <para>The <literal>ctrl_interface</literal> field gives
+ the pathname of the directory used by
+ <application>hostapd</application> to stores its
+ domain socket files for the communication with
+ external programs such as &man.hostapd.cli.8;. The
+ default value is used here.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-cifacegrp">
+ <para>The <literal>ctrl_interface_group</literal> line
+ sets the group (here, it is the
+ <groupname>wheel</groupname> group) allowed to access
+ to the control interface files.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-ssid">
+ <para>This field sets the network name.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-wpa">
+ <para>The <literal>wpa</literal> field enables WPA and
+ specifies which WPA authentication protocol will be
+ required. A value of <literal>1</literal> configures the
+ AP for WPA-PSK.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-pass">
+ <para>The <literal>wpa_passphrase</literal> field
+ contains the ASCII passphrase for the WPA
+ authentication.</para>
+
+ <warning>
+ <para>Always use strong passwords that are
+ sufficiently long and made from a rich alphabet so
+ they will not be guessed and/or attacked.</para>
+ </warning>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-kmgmt">
+ <para>The <literal>wpa_key_mgmt</literal> line refers to
+ the key management protocol we use. In our case it is
+ WPA-PSK.</para>
+ </callout>
+
+ <callout arearefs="co-ap-wpapsk-pwise">
+ <para>The <literal>wpa_pairwise</literal> field
+ indicates the set of accepted encryption algorithms by
+ the Access Point. Here both TKIP (WPA) and CCMP
+ (WPA2) ciphers are accepted. CCMP cipher is an
+ alternative to TKIP and that is strongly preferred
+ when possible; TKIP should be used solely for stations
+ incapable of doing CCMP.</para>
+ </callout>
+ </calloutlist>
+
+ <para>The next step is to start
+ <application>hostapd</application>:</para>
+
+ <screen>&prompt.root <userinput>/etc/rc.d/hostapd forcestart</userinput></screen>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+ ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 2290
+ inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
+ inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
+ ether 00:11:95:c3:0d:ac
+ media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
+ status: associated
+ ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+ authmode WPA2/802.11i privacy MIXED deftxkey 2 TKIP 2:128-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
+
+ <para>The Access Point is running, the clients can now be
+ associated with it, see <xref
+ linkend="network-wireless-wpa"> for more details. It is
+ possible to see the stations associated with the AP using
+ the <command>ifconfig <replaceable>ath0</replaceable> list
+ sta</command> command.</para>
+ </sect4>
+ </sect3>
+
+ <sect3>
+ <title>WEP Host-based Access Point</title>
+
+ <para>It is not recommended to use WEP for setting up an
+ Access Point since there is no authentication mechanism and
+ it is easily to be cracked. Some legacy wireless cards only
+ support WEP as security protocol, these cards will only
+ allow to set up AP without authentication or encryption or
+ using the WEP protocol.</para>
+
+ <para>The wireless device can now be put into hostap mode and
+ configured with the correct SSID and IP address:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> ssid <replaceable>freebsdap</replaceable> wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g mediaopt hostap \
+ inet <replaceable>192.168.0.1</replaceable> netmask <replaceable>255.255.255.0</replaceable></userinput></screen>
+
+ <itemizedlist>
+ <listitem>
+ <para>The <literal>weptxkey</literal> means which WEP
+ key will be used in the transmission. Here we used the
+ third key (note that the key numbering starts with
+ <literal>1</literal>). This parameter must be specified
+ to really encrypt the data.</para>
+ </listitem>
+
+ <listitem>
+ <para>The <literal>wepkey</literal> means setting the
+ selected WEP key. It should in the format
+ <replaceable>index:key</replaceable>, if the index is
+ not given, key <literal>1</literal> is set. That is
+ to say we need to set the index if we use keys other
+ than the first key.</para>
+ </listitem>
+ </itemizedlist>
+
+ <para>Use again <command>ifconfig</command> to see the status
+ of the <devicename>ath0</devicename> interface:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable></userinput>
+ ath0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
+ inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
+ inet6 fe80::211:95ff:fec3:dac%ath0 prefixlen 64 scopeid 0x4
+ ether 00:11:95:c3:0d:ac
+ media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
+ status: associated
+ ssid freebsdap channel 1 bssid 00:11:95:c3:0d:ac
+ authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit txpowmax 36 protmode CTS dtimperiod 1 bintval 100</screen>
+
+ <para>From another wireless machine, it is possible to initiate
+ a scan to find the AP:</para>
+
+ <screen>&prompt.root; <userinput>ifconfig <replaceable>ath0</replaceable> up scan</userinput>
+SSID BSSID CHAN RATE S:N INT CAPS
+freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS</screen>
+
+ <para>The client machine found the Access Point and can be
+ associated with it using the correct parameters (key, etc.),
+ see <xref linkend="network-wireless-wep"> for more
+ details.</para>
+ </sect3>
+ </sect2>
+
<sect2>
<title>Troubleshooting</title>
@@ -2773,6 +3072,21 @@
</sect3>
<sect3>
+ <title>Address limits</title>
+
+ <para>The number of unique source MAC addresses behind an
+ interface can limited. Once the limit is reached packets
+ with unknown source addresses are dropped until an
+ existing host cache entry expires or is removed.</para>
+
+ <para>The following example sets the maximum number of Ethernet
+ devices for <hostid role="Hostname">CustomerA</hostid> on
+ <literal>vlan100</literal> to 10.</para>
+
+ <screen>&prompt.root; <userinput>ifconfig bridge0 ifmaxaddr vlan100 10</userinput></screen>
+ </sect3>
+
+ <sect3>
<title>SNMP Monitoring</title>
<para>The bridge interface and STP parameters can be monitored
More information about the p4-projects
mailing list