hostapd Addon to add a WiFi hotspot to IPFire

This addon gives IPfire the ability to manage wireless 802.11 connections and is required if the Blue network is assigned to a wireless card.

Requires a compatible wireless card
Make sure you have installed a compatible wireless card before attempting to use this addon. See the Network Adapter Hardware Compatibility List page in the wiki and/or ask for help in the forum.

When the country code is set to "00", the 5GHz band is disabled. Set your country code to enable more channels.

Setting up the Blue Network

Initial Setup

If the blue network has not been created and linked to an actual wireless card you will have to do that first. This can be done during installation but can also be done in the console later on.

To setup the blue network from the console, login as "root" using your password. Then type:


and navigate to "Network configuration".

Here you will need to modify "Network configuration type", "Drivers and card assignments" and "Address settings".

  • The Network configuration type must be one of the two types with a blue network.

Important - It is important to give the blue network a different subnet than the other zones.

  • Having defined a new blue network a compatible wireless card must be assigned to it in "Drivers and card assignments".
  • "Address settings" will be covered in the next section.

Addressing and DHCP Addressing

Important - IPfire treats the Blue network as a completely separate network. By default clients cannot connect with the Green network from it. If a client on the Blue network needs to communicate with a device on the Green network you must add a rule to the firewall allowing access. Alternatively you can bridge the two networks with Zone Configuration but this adds some security risk.

The blue interface needs a static IP address out of the blue network assigned to it. Make sure the green and blue are distinct.

For example if you have the green network setup using the subnet, use the subnet for the blue network.

Once a suitable IP address has been determined it should be assigned in the console under "Address settings".

It is common use, to choose the first or last client address in the subnet ( i.e. .1 or .254 in a /24 net ).


Dynamic Host Configuration Protocol is needed to pass out IP address to connecting clients. Chose a range of IP addresses that is from the same subnet as the blue network's default gateway address. The range cannot include the default gateways address. This range can then be set in the console or in the WUI under "network>DHCP server".


Installing the Add-on

At this stage a blue network should have been created and configured. All that is left to do is to install the add-on using IPfire's package manager.

The package manager is called "pakfire" and can be invoked from the console as well as from the WUI.

To use the WUI navigate to ">> IPFire >> Pakfire". There is a section labeled "Available Addons:" where you can find "hostapd" amongst the various add-ons. Select "hostapd" and then click on the "+" sign below the add-on box. Confirm the installation.

Wireless Settings

When pakfire installs hostapd, it adds a new page to the WUI. Navigate to this page via ">> IPFire >> WLanAP". On this page the wireless network can be turned on and off and you can find all the settings for the initial configuration.

  • SSID: Enter a name for your wireless network. This should be different to any nearby networks.
  • Broadcast SSID: This turns off broadcasting of the WLAN name (on is recommended)
  • Client Isolation: Client Isolation is a security feature that prevents wireless clients from interacting with each other.
  • Country Code: Selecting your country can enable more channels in the selection box of channels (like 'de' adds channel 12 and 13, which is allowed for Europe). The additional channels are available after save the parameter setting once and edit the parameter again.
  • HW Mode: Select a hardware mode supported by your wireless card:
HW Mode
Mbits/s Adopted
802.11a 5.0 6 to 54 1999
802.11b 2.4 1 to 11 1999
802.11g 2.4 6 to 54 2003
802.11an - - -
802.11a 5.0 6 to 54 1999
802.11n 2.4/5.0 72 to 600 2008
802.11gn - - -
802.11g 2.4 6 to 54 2003
802.11n 2.4/5.0 72 to 600 2008
802.11ac 5.0 433 to 6933 2014
  • Channel: Choose the channel with the least amount of other WiFi networks. Channels 1, 6 or 11 are recommended for common 2.4 GHz Wi-Fi as they do not overlap each other.
  • Neighborhood scan: This function searches for other wireless networks in the area. If any are found, 40 MHz channel bandwidth is disabled.
    Warning! Disabling may violate regulatory rules!
  • Encryption: WPA3 is the most secure.
  • Passphrase: If encryption is set, enter a passphrase. It is recommended to chose a secure passphrase with more than 8 digits, special characters and avoiding words from a dictionary.
  • Management Frame Protection: Protects all communication between the clients and the access point from eavesdropping.
  • HT Caps: If your card supports 802.11n or newer, enter the "High Throughput capabilities", or MCS (Modulation and Coding Schemes) supported by it. Each value must be enclosed in square brackets [ ] with no spaces.
    • Note - If your WiFi adapter was manufactured in the last few years it is likely to support the 802.11n and will have some "High Throughput Capabilities". For these features to be enabled you must configure this field.
    • You can find the capabilities of your wireless card by checking the detailed specifications on its product data sheet. Note any "High Throughput Capabilities", "MCS" values or "Modulation Techniques" which are supported. The HT Capabilities for some WiFi adapters tested with IPFire are noted in the Network Adapter Hardware Compatibility List.
    • Depending on your country the capabilities available for your card may differ. This is due to Government regulation of radio signals.
    • Some examples: [HT20][HT40+][HT40-][SHORT-GI-20][SHORT-GI-40][TX-STBC][RX-STBC123][DSSS_CCK-40][LDPC] or [HT40-][TX-STBC][RX-STBC1][SHORT-GI-20][SHORT-GI-40][DSSS_CCK-40][HT-20][OFDM][BPSK][QPSK][16-QAM][64-QAM][DSSS][DBPSK][DQPSK][CCK][LDPC].
  • VHT Caps: Very High Throughput capabilities, refer to the set of features and capabilities supported by a Wi-Fi access point when operating in the 802.11ac mode. For example, these flags enable specific VHT features, such as maximum MPDU length, short guard interval for 80 MHz, and single-user beamforming: [MAX-MPDU-7991][SHORT-GI-80][SU-BEAMFORMER][SU-BEAMFORMEE]
  • Loglevel (hostapd): Choose how much detail to capture in the logs.

Remember to save the settings by clicking the save icon below them.

Once the settings are configured and saved turn on the network by clicking on the green up arrow. If all went well it should look like this:

Connecting Clients

Wireless client filter
When clients first connect to IPFire they will be assigned an IP address from the blue interface's DHCP server. However they cannot access the internet until their MAC address is specifically allowed in the MAC address filter.

The MAC address filter is located under the firewall tab and is called "Blue Access". There is also a link at the bottom of the "WLanAP" page.

To activate a client, first have that client attempt to connect to the Access Point. This should fail but it will add that client's MAC address to the blue access page. To the right of the client's MAC address there is an icon for adding the device. Once added, IPFire should allow access to the Access Point.
See also the Access to Blue page, which also includes instructions for disabling MAC Address filtering, if desired.

Warning - Do NOT use the special character 'ยง' in the encryption key as it will not work.