hostapd Addon to add a WiFi hotspot to IPFire
This addon gives IPfire the ability to manage wireless 802.11 connections and is required if the Blue network is assigned to a wireless card.
Requires a compatible wireless card
Make sure you have installed a compatible wireless card before attempting to use this addon. See the Network Adapter Hardware Compatibility List page in the wiki and/or ask for help in the forum.
Warning
When the country code is set to "00", the 5GHz band is disabled. Set your country code to enable more channels.
Setting up the Blue Network
Initial Setup
If the blue network has not been created and linked to an actual wireless card you will have to do that first. This can be done during installation but can also be done in the console later on.
To setup the blue network from the console, login as "root" using your password. Then type:
setup
and navigate to "Network configuration".
Here you will need to modify "Network configuration type", "Drivers and card assignments" and "Address settings".
- The Network configuration type must be one of the two types with a blue network.
Important - It is important to give the blue network a different subnet than the other zones.
- Having defined a new blue network a compatible wireless card must be assigned to it in "Drivers and card assignments".
- "Address settings" will be covered in the next section.
Addressing and DHCP Addressing
Important - IPfire treats the Blue network as a completely separate network. By default clients cannot connect to the Green network from it. If a client on the Blue network needs to communicate with a device on the Green network you must add a rule to the firewall allowing access. Alternatively you can bridge the two networks with Zone Configuration but this adds some security risk.
The blue interface needs a static IP address out of the blue network assigned to it. Make sure the green and blue are distinct.
For example if you have the green network setup using the 192.168.0.0/24 subnet, use the 192.168.1.0/24 subnet for the blue network.
Once a suitable IP address has been determined it should be assigned in the console under "Address settings".
It is common use, to choose the first or last client address in the subnet ( i.e. .1 or .254 in a /24 net ).
DHCP
Dynamic Host Configuration Protocol is needed to pass out IP address to connecting clients. Chose a range of IP addresses that is from the same subnet as the blue network's default gateway address. The range cannot include the default gateways address. This range can then be set in the console or in the WUI under "network>DHCP server".
Pakfire
Installing the Add-on
At this stage a blue network should have been created and configured. All that is left to do is to install the add-on using IPfire's package manager.
The package manager is called "pakfire" and can be invoked from the console as well as from the WUI.
To use the WUI navigate to ">> IPFire >> Pakfire". There is a section labeled "Available Addons:" where you can find "hostapd" amongst the various add-ons. Select "hostapd" and click on "Install", then confirm the installation.
Wireless Settings
When pakfire installs hostapd, it adds a new page to the WUI. Navigate to this page via ">> IPFire >> Wireless Access Point". On this page the wireless network can be turned on and off and you can find all the settings for the initial configuration.
- Select Interface: Set the wireless network interface controller that should be used by the access point.
- SSID: Enter a name for your wireless network. This should be different to any nearby networks.
- Hide SSID: This turns off broadcasting of the WLAN name (not recommended).
- Client Isolation: Client Isolation is a security feature that prevents wireless clients from interacting with each other.
- Country Code: Selecting your country can enable more channels in the selection box of channels (for instance 'DE' adds channels 12 and 13, which are allowed in Europe). The additional channels are available after saving the parameter setting once and editing the parameter again.
- HW Mode: Select a hardware mode supported by your wireless card:
| HW Mode (IEEE) |
Freq (GHz) |
Mbits/s | Adopted |
|---|---|---|---|
| 802.11a | 5.0 | 6 to 54 | 1999 |
| 802.11b | 2.4 | 1 to 11 | 1999 |
| 802.11g | 2.4 | 6 to 54 | 2003 |
| 802.11an | - | - | - |
| 802.11a | 5.0 | 6 to 54 | 1999 |
| 802.11n | 2.4/5.0 | 6.5 to 600 | 2009 |
| 802.11gn | - | - | - |
| 802.11g | 2.4 | 6 to 54 | 2003 |
| 802.11n | 2.4/5.0 | 6.5 to 600 | 2009 |
| 802.11ac | 5.0 | 6.5 to 6933 | 2013 |
| 802.11ax | 2.4/5.0/6.0 | 0.4 to 9608 | 2021 |
| 802.11be | 2.4/5.0/6.0 | 0.4 to 23059 | 2024 |
- Channel: Choose the channel with the least amount of other WiFi networks, or leave the default for 'Automatic Channel Selection'. Channels 1, 6 or 11 are recommended for common 2.4 GHz Wi-Fi as they do not overlap each other.
- Neighborhood scan: This function searches for other wireless networks in the area. If any are found, 40 MHz channel bandwidth is disabled.
At the moment selecting disables the scan!!!
Warning! Disabling may violate regulatory rules! - Encryption: WPA3 is the most secure, but not all devices may support it. In this case select WPA2+3.
- Pre-Shared Key: If encryption is set, enter the password. It is recommended to chose a secure password with more than 8 digits and special characters, and to avoid words from a dictionary.
- Management Frame Protection: Protects all communication between the clients and the access point from eavesdropping.
- Tx Power: Defaults to 'auto'.
Remember to save the settings by clicking the save icon below them.
Once the settings are configured and saved turn on the network by clicking on the green up arrow. If all went well it should look like this:
Connecting Clients
Wireless client filter
When clients first connect to IPFire they will be assigned an IP address from the blue interface's DHCP server. However they cannot access the internet until their MAC address is specifically allowed in the MAC address filter.
The MAC address filter is located under the firewall tab and is called "Blue Access".
To activate a client, first have that client attempt to connect to the Access Point. This should fail but it will add that client's MAC address to the blue access page. To the right of the client's MAC address there is an icon for adding the device. Once added, IPFire should allow access to the Access Point.
See also the Access to Blue page, which also includes instructions for disabling MAC Address filtering, if desired.
Warning - Do NOT use the special character 'ยง' in the encryption key as it will not work.