StefanoLaguardia.eu

[SysAdmin] Create isolated WiFi network on OPNSense with local wireless interface

During the last months I am using OPNSense as my firewall (moving away from PFSense). At the very beginning I was using it on an apu2d board but then I decide to try running it in a kind of NFV way. Now I am indeed running OPNSense as a virtual machine (with KVM as hypervisor on a Debian GNU/Linux) and I simply love it! Incredibly fast, reliable updates and a lot of embedded features. But today I am going to write some notes on how I created a dedicated WiFi network using a local wireless interface and kept it completely isolated from the other networks I am running in my home “infrastructure”.

As you probably know OPNSense (but this is not a limitation of OPNSense itself but more of FreeeBSD) has very limited support of physical WiFi interfaces. It is almost everywhere suggested to buy a dedicated access point and have OPNSense to be the gateway/firewall of the network created on that access point. Well, I confirm that ūüôā However, instead of buying another device, I decided to use the WiFi interface embedded in the¬†computer I use to virtualize OPNSense and it was quite an interesting journey that ended with success ūüôā Here I am sharing some notes on what I have now and how I did it.

This is more or less the situation:

OPNSesne KVM Diagram

The problem to solve was to configure the Wireless LAN interface (that has a Broadcom chipset BCM43224) in order to have a dedicated Wireless Network with a dedicated SSID to be isolated from the rest of the network. Consider it like a Guest network.

The first attempt I did was to check if the chipset of my wireless card was recognized directly by OPNSense and create an Access Point directly with OPN tools. To do that I configured KVM to give to OPNSense a full access to the hardware using PCI passthrough. Unfortunately (and kind of expected) the card was not recognized by OPNSense.

The way to go then was to have the WiFi card configured 100% on the KVM host and have it bridged (using bridge-utils) in the same way I am using all other LAN interfaces. However, the challenge here is that I wanted to have it working as Access Point! With GNU/Linux this is not that much complicated luckily ūüôā

Steps to take are: 1) have the WiFi card recognized by the host machine and with proper driver to be sure t will support AP feature; 2) install and configure Hostapd; 3) Have the WiFi interface added in a dedicated bridge; 4) configure kvm to add on the OPNSense guest the newly created bridge interface.

Let’s start.

Configure WiFi card

In my case I have a WiFi interface with a Broadcom chipset  BCM43224. You have a couple of options to have it working as a standard WiFi interface if you need to simply connect it to a wireless network. But if you want to have it running as Access Point there is only 1 option and is to have it running with the module brcmsmac.

What I did was to add the mentioned module in the file /etc/modules in order to have it started at every boot:

# /etc/modules: kernel modules to load at boot time.
#
# This file contains the names of kernel modules that should be loaded
# at boot time, one per line. Lines beginning with “#” are ignored. ¬†
brcmsmac

and then I blacklisted b43 and in the file /etc/modprobe.d/blacklist.conf:

blacklist b43

The end result you want to see is this outptut from the command:

#¬†iw list | grep “Supported interface modes” -A 8
Supported interface modes:
* IBSS
* managed
* AP
* AP/VLAN
* monitor
Band 1:
Capabilities: 0x7c
HT20

Once we have achieved the above we can move to next step.

Install and configure Hostapd

That’s very easy step. On my Debian GNU/Linux all I had to do was apt install hostapd, arrange the hostapd.conf configuration file and make sure that on boot hostapd will use¬†the configuration file I created. Let’s start creating the file /etc/hostap/hostapd.conf as root user and add following:

 

# This is the name of the WiFi interface we configured above
interface=<YourWiFiInterface> #You can check the name from dmesg or from command “ip link”

# Use the nl80211 driver with the brcmfmac driver
driver=nl80211

# This is the name of the network
ssid=<whatever_you_like>

# Use the 2.4GHz band or 5Ghz Band – in my case “g” is for 2.4Ghz
hw_mode=g

# Use channel – suggest you to make a survey to check which one is better in your surrounding
channel=<X>

# Enable 802.11n
ieee80211n=1

# Enable WMM – not mandatory
wmm_enabled=1

# Accept all MAC addresses
macaddr_acl=0

# Use WPA authentication
auth_algs=1

# Require clients to know the network name
ignore_broadcast_ssid=0

# Select WPA2
wpa=2

# Use WPA-PSK as authentication method to access the AP
wpa_key_mgmt=WPA-PSK

# The network passphrase
wpa_passphrase=<YourStrongPassword>

# Use AES with WPA2
rsn_pairwise=CCMP

Now, if you are also using Debian, edit the file /etc/default/hostapd to make sure that hostapd will use the file we just created to run the Access Point. You will need to change this line:

DAEMON_CONF=“/etc/hostapd/hostapd.conf”

You are now ready to restart the hostapd service and after that you should be able to see the SSID broadcasted around you ūüôā

# service hostapd restart
# iwconfig
 <..>
YOUR_WIFI_INTF  IEEE 802.11  Mode:Master  Tx-Power=19 dBm    
         Retry short limit:7   RTS thr:off   Fragment thr:off
         Power Management:off

Configure WiFi interface to access the bridge

Assuming you are using bridge-utils to manage the access of your KVM guests to network resources, all you need to do is to create a new bridge (I did this modifying the file /etc/network/interfaces) where you add the WiFi interface. In my case I added the following:

#Adding interface for hostapd *embedded broadcom wifi*
allow-hotplug wlp4s0b1
iface wlp4s0b1 inet manual
   pre-up ifconfig $IFACE up
   pre-down ifconfig $IFACE down

## Adding bridge interface for HOSTAP – to be managed by OPNSense
auto br4
iface br4 inet manual
   bridge_ports wlp4s0b1
   bridge_stp off
   bridge_fd 0
   bridge_maxwait 0

As you will notice, there is no Layer 3/IP configuration. This is done on purpose, because I want only OPNSense to be able to manage the traffic from Layer 3 acting as Gateway. 
After you configure the bridge you need to restart the network services in order to load the bridge as interface.

Configure kvm to add on the OPNSense guest the newly created bridge interface.

I will not cover this specific step as this is a simple one. You can either add a new network interface on the OPNSense guest using virt-manager or you can manually edit the .xml configuration file. This is really up to you. My only suggestion is to do it while the virtual machine is not running.

After that, you¬†can start OPNSense,¬†assign a new standard interface (you should find the new interface under “Interfaces –> Assignments –> New Interface”) and then associate the rules you prefer as well as the DHCP configuration in order to have clients connecting to AP taking the address from OPNSense.

Enjoy your new Access Point!

Comments

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.