git: b113509f32 - main - Handbook WG - Create a new network chapter
Date: Thu, 06 Jul 2023 12:09:18 UTC
The branch main has been updated by carlavilla:
URL: https://cgit.FreeBSD.org/doc/commit/?id=b113509f32da681db41fd60594b723c13334df8e
commit b113509f32da681db41fd60594b723c13334df8e
Author: Sergio Carlavilla Delgado <carlavilla@FreeBSD.org>
AuthorDate: 2023-07-06 12:04:54 +0000
Commit: Sergio Carlavilla Delgado <carlavilla@FreeBSD.org>
CommitDate: 2023-07-06 12:04:54 +0000
Handbook WG - Create a new network chapter
Create a new chaper with the basic configuration of a wired
and wireless networks in FreeBSD.
Sections of the new chapter:
- Synopsis
- Setting up the Network
- Wired Networks
- Wireless Networks
- Hostname
- DNS
- Troubleshooting
Changes:
- Move wired network section from config to network
- Move virtual hosts section from config to advanced networking
- Move basic wireless section from advanced networking to network
- Move IPv6 from advanced networking to network
- Upgrade all command outputs
- Use sysrc
- Improve AsciiDoc syntax
Differential Revision: https://reviews.freebsd.org/D40546
Reviewed by: bcr, dbaio, fernape, karels
Sponsored by: Daifressh
---
.../books/handbook/advanced-networking/_index.adoc | 897 +------------------
.../content/en/books/handbook/audit/_index.adoc | 6 +-
.../en/books/handbook/bibliography/_index.adoc | 2 +-
documentation/content/en/books/handbook/book.adoc | 2 +
.../content/en/books/handbook/boot/_index.adoc | 6 +-
.../content/en/books/handbook/colophon.adoc | 2 +-
.../content/en/books/handbook/config/_index.adoc | 492 +----------
.../en/books/handbook/cutting-edge/_index.adoc | 8 +-
.../content/en/books/handbook/desktop/_index.adoc | 6 +-
.../content/en/books/handbook/disks/_index.adoc | 6 +-
.../content/en/books/handbook/dtrace/_index.adoc | 6 +-
.../en/books/handbook/eresources/_index.adoc | 2 +-
.../en/books/handbook/filesystems/_index.adoc | 6 +-
.../en/books/handbook/firewalls/_index.adoc | 6 +-
.../content/en/books/handbook/geom/_index.adoc | 6 +-
.../content/en/books/handbook/glossary.adoc | 4 +-
.../content/en/books/handbook/jails/_index.adoc | 6 +-
.../en/books/handbook/kernelconfig/_index.adoc | 153 ++--
.../content/en/books/handbook/l10n/_index.adoc | 6 +-
.../content/en/books/handbook/linuxemu/_index.adoc | 42 +-
.../content/en/books/handbook/mac/_index.adoc | 6 +-
.../content/en/books/handbook/mail/_index.adoc | 6 +-
.../content/en/books/handbook/mirrors/_index.adoc | 8 +-
.../en/books/handbook/multimedia/_index.adoc | 6 +-
.../en/books/handbook/network-servers/_index.adoc | 6 +-
.../content/en/books/handbook/network/_index.adoc | 951 +++++++++++++++++++++
.../content/en/books/handbook/partii.adoc | 4 +-
.../content/en/books/handbook/partiii.adoc | 2 +-
.../content/en/books/handbook/partiv.adoc | 2 +-
documentation/content/en/books/handbook/partv.adoc | 2 +-
.../content/en/books/handbook/pgpkeys/_index.adoc | 2 +-
.../content/en/books/handbook/ports/_index.adoc | 28 +-
.../en/books/handbook/ppp-and-slip/_index.adoc | 6 +-
.../content/en/books/handbook/printing/_index.adoc | 6 +-
.../content/en/books/handbook/security/_index.adoc | 12 +-
.../en/books/handbook/serialcomms/_index.adoc | 6 +-
.../en/books/handbook/usb-device-mode/_index.adoc | 6 +-
.../en/books/handbook/virtualization/_index.adoc | 6 +-
.../content/en/books/handbook/wayland/_index.adoc | 2 +-
.../content/en/books/handbook/wine/_index.adoc | 6 +-
.../content/en/books/handbook/zfs/_index.adoc | 11 +-
41 files changed, 1202 insertions(+), 1546 deletions(-)
diff --git a/documentation/content/en/books/handbook/advanced-networking/_index.adoc b/documentation/content/en/books/handbook/advanced-networking/_index.adoc
index 732de75166..b9194449cd 100644
--- a/documentation/content/en/books/handbook/advanced-networking/_index.adoc
+++ b/documentation/content/en/books/handbook/advanced-networking/_index.adoc
@@ -1,12 +1,12 @@
---
-title: Chapter 33. Advanced Networking
+title: Chapter 34. Advanced Networking
part: IV. Network Communication
prev: books/handbook/firewalls
next: books/handbook/partv
description: "Advanced networking in FreeBSD: basics of gateways and routes, CARP, how to configure multiple VLANs on FreeBSD, etc"
-tags: ["Advanced Networking", "Handbook", "gateway", "routes", "wireless", "tethering", "bluetooth", "bridging", "ipv6", "CARP", "VLAN"]
+tags: ["Advanced Networking", "Handbook", "gateway", "routes", "wireless", "tethering", "bluetooth", "bridging", "CARP", "VLAN"]
showBookMenu: true
-weight: 38
+weight: 39
path: "/books/handbook/"
---
@@ -18,7 +18,7 @@ path: "/books/handbook/"
:icons: font
:sectnums:
:sectnumlevels: 6
-:sectnumoffset: 33
+:sectnumoffset: 34
:partnums:
:source-highlighter: rouge
:experimental:
@@ -60,7 +60,6 @@ After reading this chapter, you will know:
* How to set up IEEE(R) 802.11 and Bluetooth(R) devices.
* How to make FreeBSD act as a bridge.
* How to set up network PXE booting.
-* How to set up IPv6 on a FreeBSD machine.
* How to enable and utilize the features of the Common Address Redundancy Protocol (CARP) in FreeBSD.
* How to configure multiple VLANs on FreeBSD.
* Configure bluetooth headset.
@@ -69,6 +68,7 @@ Before reading this chapter, you should:
* Understand the basics of the [.filename]#/etc/rc# scripts.
* Be familiar with basic network terminology.
+* Understand basic network configuration on FreeBSD (crossref:network[network,FreeBSD network]).
* Know how to configure and install a new FreeBSD kernel (crossref:kernelconfig[kernelconfig,Configuring the FreeBSD Kernel]).
* Know how to install additional third-party software (crossref:ports[ports,Installing Applications: Packages and Ports]).
@@ -329,500 +329,65 @@ DVMRP has largely been replaced by the PIM protocol in many multicast installati
Refer to man:pim[4] for more information.
====
-[[network-wireless]]
-== Wireless Networking
+[[configtuning-virtual-hosts]]
+== Virtual Hosts
-=== Wireless Networking Basics
+A common use of FreeBSD is virtual site hosting, where one server appears to the network as many servers.
+This is achieved by assigning multiple network addresses to a single interface.
-Most wireless networks are based on the IEEE(R) 802.11 standards.
-A basic wireless network consists of multiple stations communicating with radios that broadcast in either the 2.4GHz or 5GHz band, though this varies according to the locale and is also changing to enable communication in the 2.3GHz and 4.9GHz ranges.
-
-802.11 networks are organized in two ways.
-In _infrastructure mode_, one station acts as a master with all the other stations associating to it, the network is known as a BSS, and the master station is termed an access point (AP).
-In a BSS, all communication passes through the AP; even when one station wants to communicate with another wireless station, messages must go through the AP.
-In the second form of network, there is no master and stations communicate directly.
-This form of network is termed an IBSS and is commonly known as an _ad-hoc network_.
-
-802.11 networks were first deployed in the 2.4GHz band using protocols defined by the IEEE(R) 802.11 and 802.11b standard.
-These specifications include the operating frequencies and the MAC layer characteristics, including framing and transmission rates, as communication can occur at various rates.
-Later, the 802.11a standard defined operation in the 5GHz band, including different signaling mechanisms and higher transmission rates.
-Still later, the 802.11g standard defined the use of 802.11a signaling and transmission mechanisms in the 2.4GHz band in such a way as to be backwards compatible with 802.11b networks.
-
-Separate from the underlying transmission techniques, 802.11 networks have a variety of security mechanisms.
-The original 802.11 specifications defined a simple security protocol called WEP.
-This protocol uses a fixed pre-shared key and the RC4 cryptographic cipher to encode data transmitted on a network.
-Stations must all agree on the fixed key in order to communicate.
-This scheme was shown to be easily broken and is now rarely used except to discourage transient users from joining networks.
-Current security practice is given by the IEEE(R) 802.11i specification that defines new cryptographic ciphers and an additional protocol to authenticate stations to an access point and exchange keys for data communication.
-Cryptographic keys are periodically refreshed and there are mechanisms for detecting and countering intrusion attempts.
-Another security protocol specification commonly used in wireless networks is termed WPA, which was a precursor to 802.11i.
-WPA specifies a subset of the requirements found in 802.11i and is designed for implementation on legacy hardware.
-Specifically, WPA requires only the TKIP cipher that is derived from the original WEP cipher.
-802.11i permits use of TKIP but also requires support for a stronger cipher, AES-CCM, for encrypting data.
-The AES cipher was not required in WPA because it was deemed too computationally costly to be implemented on legacy hardware.
-
-The other standard to be aware of is 802.11e. It defines protocols for deploying multimedia applications, such as streaming video and voice over IP (VoIP), in an 802.11 network.
-Like 802.11i, 802.11e also has a precursor specification termed WME (later renamed WMM) that has been defined by an industry group as a subset of 802.11e that can be deployed now to enable multimedia applications while waiting for the final ratification of 802.11e.
-The most important thing to know about 802.11e and WME/WMM is that it enables prioritized traffic over a wireless network through Quality of Service (QoS) protocols and enhanced media access protocols.
-Proper implementation of these protocols enables high speed bursting of data and prioritized traffic flow.
-
-FreeBSD supports networks that operate using 802.11a, 802.11b, and 802.11g.
-The WPA and 802.11i security protocols are likewise supported (in conjunction with any of 11a, 11b, and 11g) and QoS and traffic prioritization required by the WME/WMM protocols are supported for a limited set of wireless devices.
-
-[[network-wireless-quick-start]]
-=== Quick Start
-
-Connecting a computer to an existing wireless network is a very common situation.
-This procedure shows the steps required.
-
-[.procedure]
-. Obtain the SSID (Service Set Identifier) and PSK (Pre-Shared Key) for the wireless network from the network administrator.
-. Identify the wireless adapter. The FreeBSD [.filename]#GENERIC# kernel includes drivers for many common wireless adapters.
-If the wireless adapter is one of those models, it will be listed in the man:sysctl[8] `net.wlan.devices` variable:
-+
-[source,shell]
-....
-% sysctl net.wlan.devices
-....
-+
-If a wireless adapter is not listed, an additional kernel module might be required, or it might be a model not supported by FreeBSD.
-+
-This example shows the Atheros `ath0` wireless adapter.
-. Add an entry for this network to [.filename]#/etc/wpa_supplicant.conf#. If the file does not exist, create it. Replace _myssid_ and _mypsk_ with the SSID and PSK provided by the network administrator.
-+
-[.programlisting]
-....
-network={
- ssid="myssid"
- psk="mypsk"
-}
-....
-
-. Add entries to [.filename]#/etc/rc.conf# to configure the network on startup:
-+
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="WPA SYNCDHCP"
-....
-
-. Restart the computer, or restart the network service to connect to the network:
-+
-[source,shell]
-....
-# service netif restart
-....
-
-[[network-wireless-basic]]
-=== Basic Setup
-
-==== Kernel Configuration
-
-To use wireless networking, a wireless networking card is needed and the kernel needs to be configured with the appropriate wireless networking support.
-The kernel is separated into multiple modules so that only the required support needs to be configured.
-
-The most commonly used wireless devices are those that use parts made by Atheros.
-These devices are supported by man:ath[4] and require the following line to be added to [.filename]#/boot/loader.conf#:
-
-[.programlisting]
-....
-if_ath_load="YES"
-....
-
-The Atheros driver is split up into three separate pieces: the driver (man:ath[4]), the hardware support layer that handles chip-specific functions (man:ath_hal[4]), and an algorithm for selecting the rate for transmitting frames.
-When this support is loaded as kernel modules, any dependencies are automatically handled.
-To load support for a different type of wireless device, specify the module for that device.
-This example is for devices based on the Intersil Prism parts (man:wi[4]) driver:
-
-[.programlisting]
-....
-if_wi_load="YES"
-....
-
-[NOTE]
-====
-The examples in this section use an man:ath[4] device and the device name in the examples must be changed according to the configuration.
-A list of available wireless drivers and supported adapters can be found in the FreeBSD Hardware Notes, available on the https://www.FreeBSD.org/releases/[Release Information] page of the FreeBSD website.
-If a native FreeBSD driver for the wireless device does not exist, it may be possible to use the Windows(R) driver with the help of the crossref:config[config-network-ndis,NDIS] driver wrapper.
-====
-
-In addition, the modules that implement cryptographic support for the security protocols to use must be loaded.
-These are intended to be dynamically loaded on demand by the man:wlan[4] module, but for now they must be manually configured.
-The following modules are available: man:wlan_wep[4], man:wlan_ccmp[4], and man:wlan_tkip[4].
-The man:wlan_ccmp[4] and man:wlan_tkip[4] drivers are only needed when using the WPA or 802.11i security protocols.
-If the network does not use encryption, man:wlan_wep[4] support is not needed.
-To load these modules at boot time, add the following lines to [.filename]#/boot/loader.conf#:
-
-[.programlisting]
-....
-wlan_wep_load="YES"
-wlan_ccmp_load="YES"
-wlan_tkip_load="YES"
-....
-
-Once this information has been added to [.filename]#/boot/loader.conf#, reboot the FreeBSD box.
-Alternately, load the modules by hand using man:kldload[8].
-
-[NOTE]
-====
-For users who do not want to use modules, it is possible to compile these drivers into the kernel by adding the following lines to a custom kernel configuration file:
-
-[.programlisting]
-....
-device wlan # 802.11 support
-device wlan_wep # 802.11 WEP support
-device wlan_ccmp # 802.11 CCMP support
-device wlan_tkip # 802.11 TKIP support
-device wlan_amrr # AMRR transmit rate control algorithm
-device ath # Atheros pci/cardbus NIC's
-device ath_hal # pci/cardbus chip support
-options AH_SUPPORT_AR5416 # enable AR5416 tx/rx descriptors
-device ath_rate_sample # SampleRate tx rate control for ath
-....
-
-With this information in the kernel configuration file, recompile the kernel and reboot the FreeBSD machine.
-====
-
-Information about the wireless device should appear in the boot messages, like this:
-
-[source,shell]
-....
-ath0: <Atheros 5212> mem 0x88000000-0x8800ffff irq 11 at device 0.0 on cardbus1
-ath0: [ITHREAD]
-ath0: AR2413 mac 7.9 RF2413 phy 4.5
-....
-
-==== Setting the Correct Region
-
-Since the regulatory situation is different in various parts of the world, it is necessary to correctly set the domains that apply to your location to have the correct information about what channels can be used.
-
-The available region definitions can be found in [.filename]#/etc/regdomain.xml#.
-To set the data at runtime, use `ifconfig`:
-
-[source,shell]
-....
-# ifconfig wlan0 regdomain ETSI country AT
-....
-
-To persist the settings, add it to [.filename]#/etc/rc.conf#:
-
-[source,shell]
-....
-# sysrc create_args_wlan0="country AT regdomain ETSI"
-....
-
-=== Infrastructure Mode
-
-Infrastructure (BSS) mode is the mode that is typically used.
-In this mode, a number of wireless access points are connected to a wired network.
-Each wireless network has its own name, called the SSID.
-Wireless clients connect to the wireless access points.
-
-==== FreeBSD Clients
-
-===== How to Find Access Points
-
-To scan for available networks, use man:ifconfig[8].
-This request may take a few moments to complete as it requires the system to switch to each available wireless frequency and probe for available access points.
-Only the superuser can initiate a scan:
-
-[source,shell]
-....
-# ifconfig wlan0 create wlandev ath0
-# ifconfig wlan0 up
-# ifconfig wlan0 scan
-SSID/MESH ID BSSID CHAN RATE S:N INT CAPS
-dlinkap 00:13:46:49:41:76 11 54M -90:96 100 EPS WPA WME
-freebsdap 00:11:95:c3:0d:ac 1 54M -83:96 100 EPS WPA
-....
-
-[NOTE]
-====
-The interface must be `up` before it can scan.
-Subsequent scan requests do not require the interface to be marked as up again.
-====
-
-The output of a scan request lists each BSS/IBSS network found.
-Besides listing the name of the network, the `SSID`, the output also shows the `BSSID`, which is the MAC address of the access point.
-The `CAPS` field identifies the type of each network and the capabilities of the stations operating there (see the definition of `list scan` in man:ifconfig[8] for more details).
-
-One can also display the current list of known networks with:
-
-[source,shell]
-....
-# ifconfig wlan0 list scan
-....
-
-This information may be updated automatically by the adapter or manually with a `scan` request.
-Old data is automatically removed from the cache, so over time this list may shrink unless more scans are done.
-
-===== Basic Settings
-
-This section provides a simple example of how to make the wireless network adapter work in FreeBSD without encryption.
-Once familiar with these concepts, it is strongly recommend to use <<network-wireless-wpa,WPA>> to set up the wireless network.
-
-There are three basic steps to configure a wireless network: select an access point, authenticate the station, and configure an IP address.
-The following sections discuss each step.
-
-====== Selecting an Access Point
-
-Most of the time, it is sufficient to let the system choose an access point using the builtin heuristics.
-This is the default behavior when an interface is marked as up or it is listed in [.filename]#/etc/rc.conf#:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="DHCP"
-....
-
-If there are multiple access points, a specific one can be selected by its SSID:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="ssid your_ssid_here DHCP"
-....
-
-In an environment where there are multiple access points with the same SSID, which is often done to simplify roaming, it may be necessary to associate to one specific device.
-In this case, the BSSID of the access point can be specified, with or without the SSID:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="ssid your_ssid_here bssid xx:xx:xx:xx:xx:xx DHCP"
-....
-
-There are other ways to constrain the choice of an access point, such as limiting the set of frequencies the system will scan on.
-This may be useful for a multi-band wireless card as scanning all the possible channels can be time-consuming.
-To limit operation to a specific band, use the `mode` parameter:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="mode 11g ssid your_ssid_here DHCP"
-....
-
-This example will force the card to operate in 802.11g, which is defined only for 2.4GHz frequencies so any 5GHz channels will not be considered.
-This can also be achieved with the `channel` parameter, which locks operation to one specific frequency, and the `chanlist` parameter, to specify a list of channels for scanning.
-More information about these parameters can be found in man:ifconfig[8].
-
-====== Authentication
-
-Once an access point is selected, the station needs to authenticate before it can pass data.
-Authentication can happen in several ways.
-The most common scheme, open authentication, allows any station to join the network and communicate.
-This is the authentication to use for test purposes the first time a wireless network is setup.
-Other schemes require cryptographic handshakes to be completed before data traffic can flow, either using pre-shared keys or secrets, or more complex schemes that involve backend services such as RADIUS.
-Open authentication is the default setting.
-The next most common setup is WPA-PSK, also known as WPA Personal, which is described in <<network-wireless-wpa-wpa-psk>>.
-
-[NOTE]
-====
-If using an Apple(R) AirPort(R) Extreme base station for an access point, shared-key authentication together with a WEP key needs to be configured.
-This can be configured in [.filename]#/etc/rc.conf# or by using man:wpa_supplicant[8].
-For a single AirPort(R) base station, access can be configured with:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="authmode shared wepmode on weptxkey 1 wepkey 01234567 DHCP"
-....
-
-In general, shared key authentication should be avoided because it uses the WEP key material in a highly-constrained manner, making it even easier to crack the key.
-If WEP must be used for compatibility with legacy devices, it is better to use WEP with `open` authentication.
-More information regarding WEP can be found in <<network-wireless-wep>>.
-====
-
-====== Getting an IP Address with DHCP
-
-Once an access point is selected and the authentication parameters are set, an IP address must be obtained in order to communicate.
-Most of the time, the IP address is obtained via DHCP.
-To achieve that, edit [.filename]#/etc/rc.conf# and add `DHCP` to the configuration for the device:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="DHCP"
-....
-
-The wireless interface is now ready to bring up:
+A given network interface has one "real" address, and may have any number of "alias" addresses.
+These aliases are normally added by placing alias entries in [.filename]#/etc/rc.conf#, as seen in this example:
[source,shell]
....
-# service netif start
+# sysrc ifconfig_fxp0_alias0="inet xxx.xxx.xxx.xxx netmask xxx.xxx.xxx.xxx"
....
-Once the interface is running, use man:ifconfig[8] to see the status of the interface [.filename]#ath0#:
+Alias entries must start with `alias__0__` using a sequential number such as `alias0`, `alias1`, and so on.
+The configuration process will stop at the first missing number.
-[source,shell]
-....
-# ifconfig wlan0
-wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
- ether 00:11:95:d5:43:62
- inet 192.168.1.100 netmask 0xffffff00 broadcast 192.168.1.255
- media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
- status: associated
- ssid dlinkap channel 11 (2462 Mhz 11g) bssid 00:13:46:49:41:76
- country US ecm authmode OPEN privacy OFF txpower 21.5 bmiss 7
- scanvalid 60 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7
- roam:rate 5 protmode CTS wme burst
-....
-
-The `status: associated` line means that it is connected to the wireless network.
-The `bssid 00:13:46:49:41:76` is the MAC address of the access point and `authmode OPEN` indicates that the communication is not encrypted.
-
-====== Static IP Address
-
-If an IP address cannot be obtained from a DHCP server, set a fixed IP address.
-Replace the `DHCP` keyword shown above with the address information.
-Be sure to retain any other parameters for selecting the access point:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="inet 192.168.1.100 netmask 255.255.255.0 ssid your_ssid_here"
-....
-
-[[network-wireless-wpa]]
-===== WPA
-
-Wi-Fi Protected Access (WPA) is a security protocol used together with 802.11 networks to address the lack of proper authentication and the weakness of WEP.
-WPA leverages the 802.1X authentication protocol and uses one of several ciphers instead of WEP for data integrity.
-The only cipher required by WPA is the Temporary Key Integrity Protocol (TKIP).
-TKIP is a cipher that extends the basic RC4 cipher used by WEP by adding integrity checking, tamper detection, and measures for responding to detected intrusions.
-TKIP is designed to work on legacy hardware with only software modification.
-It represents a compromise that improves security but is still not entirely immune to attack.
-WPA also specifies the AES-CCMP cipher as an alternative to TKIP, and that is preferred when possible.
-For this specification, the term WPA2 or RSN is commonly used.
+The calculation of alias netmasks is important.
+For a given interface, there must be one address which correctly represents the network's netmask.
+Any other addresses which fall within this network must have a netmask of all ``1``s, expressed as either `255.255.255.255` or `0xffffffff`.
-WPA defines authentication and encryption protocols.
-Authentication is most commonly done using one of two techniques: by 802.1X and a backend authentication service such as RADIUS, or by a minimal handshake between the station and the access point using a pre-shared secret.
-The former is commonly termed WPA Enterprise and the latter is known as WPA Personal.
-Since most people will not set up a RADIUS backend server for their wireless network, WPA-PSK is by far the most commonly encountered configuration for WPA.
-
-The control of the wireless connection and the key negotiation or authentication with a server is done using man:wpa_supplicant[8].
-This program requires a configuration file, [.filename]#/etc/wpa_supplicant.conf#, to run.
-More information regarding this file can be found in man:wpa_supplicant.conf[5].
-
-[[network-wireless-wpa-wpa-psk]]
-====== WPA-PSK
-
-WPA-PSK, also known as WPA Personal, is based on a pre-shared key (PSK) which is generated from a given password and used as the master key in the wireless network.
-This means every wireless user will share the same key.
-WPA-PSK is intended for small networks where the use of an authentication server is not possible or desired.
-
-[WARNING]
-====
-Always use strong passwords that are sufficiently long and made from a rich alphabet so that they will not be easily guessed or attacked.
-====
-
-The first step is the configuration of [.filename]#/etc/wpa_supplicant.conf# with the SSID and the pre-shared key of the network:
-
-[.programlisting]
-....
-network={
- ssid="freebsdap"
- psk="freebsdmall"
-}
-....
-
-Then, in [.filename]#/etc/rc.conf#, indicate that the wireless device configuration will be done with WPA and the IP address will be obtained with DHCP:
-
-[.programlisting]
-....
-wlans_ath0="wlan0"
-ifconfig_wlan0="WPA DHCP"
-....
-
-Then, bring up the interface:
-
-[source,shell]
-....
-# service netif start
-Starting wpa_supplicant.
-DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 5
-DHCPDISCOVER on wlan0 to 255.255.255.255 port 67 interval 6
-DHCPOFFER from 192.168.0.1
-DHCPREQUEST on wlan0 to 255.255.255.255 port 67
-DHCPACK from 192.168.0.1
-bound to 192.168.0.254 -- renewal in 300 seconds.
-wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
- ether 00:11:95:d5:43:62
- inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
- media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
- status: associated
- ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
- country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
- AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
- bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
- wme burst roaming MANUAL
-....
+For example, consider the case where the `fxp0` interface is connected to two networks: `10.1.1.0` with a netmask of `255.255.255.0` and `202.0.75.16` with a netmask of `255.255.255.240`.
+The system is to be configured to appear in the ranges `10.1.1.1` through `10.1.1.5` and `202.0.75.17` through `202.0.75.20`.
+Only the first address in a given network range should have a real netmask.
+All the rest (`10.1.1.2` through `10.1.1.5` and `202.0.75.18` through `202.0.75.20`) must be configured with a netmask of `255.255.255.255`.
-Or, try to configure the interface manually using the information in [.filename]#/etc/wpa_supplicant.conf#:
+The following [.filename]#/etc/rc.conf# entries configure the adapter correctly for this scenario:
[source,shell]
....
-# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
-Trying to associate with 00:11:95:c3:0d:ac (SSID='freebsdap' freq=2412 MHz)
-Associated with 00:11:95:c3:0d:ac
-WPA: Key negotiation completed with 00:11:95:c3:0d:ac [PTK=CCMP GTK=CCMP]
-CTRL-EVENT-CONNECTED - Connection to 00:11:95:c3:0d:ac completed (auth) [id=0 id_str=]
+# sysrc ifconfig_fxp0="inet 10.1.1.1 netmask 255.255.255.0"
+# sysrc ifconfig_fxp0_alias0="inet 10.1.1.2 netmask 255.255.255.255"
+# sysrc ifconfig_fxp0_alias1="inet 10.1.1.3 netmask 255.255.255.255"
+# sysrc ifconfig_fxp0_alias2="inet 10.1.1.4 netmask 255.255.255.255"
+# sysrc ifconfig_fxp0_alias3="inet 10.1.1.5 netmask 255.255.255.255"
+# sysrc ifconfig_fxp0_alias4="inet 202.0.75.17 netmask 255.255.255.240"
+# sysrc ifconfig_fxp0_alias5="inet 202.0.75.18 netmask 255.255.255.255"
+# sysrc ifconfig_fxp0_alias6="inet 202.0.75.19 netmask 255.255.255.255"
+# sysrc ifconfig_fxp0_alias7="inet 202.0.75.20 netmask 255.255.255.255"
....
-The next operation is to launch man:dhclient[8] to get the IP address from the DHCP server:
+A simpler way to express this is with a space-separated list of IP address ranges.
+The first address will be given the indicated subnet mask and the additional addresses will have a subnet mask of `255.255.255.255`.
[source,shell]
....
-# dhclient wlan0
-DHCPREQUEST on wlan0 to 255.255.255.255 port 67
-DHCPACK from 192.168.0.1
-bound to 192.168.0.254 -- renewal in 300 seconds.
-# ifconfig wlan0
-wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
- ether 00:11:95:d5:43:62
- inet 192.168.0.254 netmask 0xffffff00 broadcast 192.168.0.255
- media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
- status: associated
- ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
- country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
- AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
- bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
- wme burst roaming MANUAL
+# sysrc ifconfig_fxp0_aliases="inet 10.1.1.1-5/24 inet 202.0.75.17-20/28"
....
-[NOTE]
-====
-If [.filename]#/etc/rc.conf# has an `ifconfig_wlan0="DHCP"` entry, man:dhclient[8] will be launched automatically after man:wpa_supplicant[8] associates with the access point.
-====
-
-If DHCP is not possible or desired, set a static IP address after man:wpa_supplicant[8] has authenticated the station:
-
-[source,shell]
-....
-# ifconfig wlan0 inet 192.168.0.100 netmask 255.255.255.0
-# ifconfig wlan0
-wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
- ether 00:11:95:d5:43:62
- inet 192.168.0.100 netmask 0xffffff00 broadcast 192.168.0.255
- media: IEEE 802.11 Wireless Ethernet OFDM/36Mbps mode 11g
- status: associated
- ssid freebsdap channel 1 (2412 Mhz 11g) bssid 00:11:95:c3:0d:ac
- country US ecm authmode WPA2/802.11i privacy ON deftxkey UNDEF
- AES-CCM 3:128-bit txpower 21.5 bmiss 7 scanvalid 450 bgscan
- bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS
- wme burst roaming MANUAL
-....
+[[network-advanced-wireless]]
+== Wireless Advanced Authentication
-When DHCP is not used, the default gateway and the nameserver also have to be manually set:
+FreeBSD supports different ways of connecting to a wireless network.
+This section describes how to perform advanced authentication to a Wireless Network.
-[source,shell]
-....
-# route add default your_default_router
-# echo "nameserver your_DNS_server" >> /etc/resolv.conf
-....
+To make a connection and basic authentication to a wireless network the section crossref:network[wireless-authentication,Connection and Authentication to a Wireless Network] in the Network Chapter describes how to do it.
[[network-wireless-wpa-eap-tls]]
-====== WPA with EAP-TLS
+=== WPA with EAP-TLS
The second way to use WPA is with an 802.1X backend authentication server.
In this case, WPA is called WPA Enterprise to differentiate it from the less secure WPA Personal.
@@ -896,7 +461,7 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
It is also possible to bring up the interface manually using man:wpa_supplicant[8] and man:ifconfig[8].
[[network-wireless-wpa-eap-ttls]]
-====== WPA with EAP-TTLS
+=== WPA with EAP-TTLS
With EAP-TLS, both the authentication server and the client need a certificate.
With EAP-TTLS, a client certificate is optional.
@@ -957,7 +522,7 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
....
[[network-wireless-wpa-eap-peap]]
-====== WPA with EAP-PEAP
+=== WPA with EAP-PEAP
[NOTE]
====
@@ -1027,54 +592,8 @@ wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
wme burst roaming MANUAL
....
-[[network-wireless-wep]]
-===== WEP
-
-Wired Equivalent Privacy (WEP) is part of the original 802.11 standard.
-There is no authentication mechanism, only a weak form of access control which is easily cracked.
-
-WEP can be set up using man:ifconfig[8]:
-
-[source,shell]
-....
-# ifconfig wlan0 create wlandev ath0
-# ifconfig wlan0 inet 192.168.1.100 netmask 255.255.255.0 \
- ssid my_net wepmode on weptxkey 3 wepkey 3:0x3456789012
-....
-
-* The `weptxkey` specifies which WEP key will be used in the transmission. This example uses the third key. This must match the setting on the access point. When unsure which key is used by the access point, try `1` (the first key) for this value.
-* The `wepkey` selects one of the WEP keys. It should be in the format _index:key_. Key `1` is used by default; the index only needs to be set when using a key other than the first key.
-+
-[NOTE]
-====
-Replace the `0x3456789012` with the key configured for use on the access point.
-====
-
-Refer to man:ifconfig[8] for further information.
-
-The man:wpa_supplicant[8] facility can be used to configure a wireless interface with WEP.
-The example above can be set up by adding the following lines to [.filename]#/etc/wpa_supplicant.conf#:
-
-[.programlisting]
-....
-network={
- ssid="my_net"
- key_mgmt=NONE
- wep_key3=3456789012
- wep_tx_keyidx=3
-}
-....
-
-Then:
-
-[source,shell]
-....
-# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
-Trying to associate with 00:13:46:49:41:76 (SSID='dlinkap' freq=2437 MHz)
-Associated with 00:13:46:49:41:76
-....
-
-=== Ad-hoc Mode
+[[wireless-ad-hoc-mode]]
+== Wireless Ad-hoc Mode
IBSS mode, also called ad-hoc mode, is designed for point to point connections.
For example, to establish an ad-hoc network between the machines `A` and `B`, choose two IP addresses and a SSID.
@@ -1308,85 +827,6 @@ Once the AP is running, the clients can associate with it.
See <<network-wireless-wpa>> for more details.
It is possible to see the stations associated with the AP using `ifconfig _wlan0_ list sta`.
-==== WEP Host-based Access Point
-
-It is not recommended to use WEP for setting up an AP since there is no authentication mechanism and the encryption is easily cracked.
-Some legacy wireless cards only support WEP and these cards will only support an AP without authentication or encryption.
-
-The wireless device can now be put into hostap mode and configured with the correct SSID and IP address:
-
-[source,shell]
-....
-# ifconfig wlan0 create wlandev ath0 wlanmode hostap
-# ifconfig wlan0 inet 192.168.0.1 netmask 255.255.255.0 \
- ssid freebsdap wepmode on weptxkey 3 wepkey 3:0x3456789012 mode 11g
-....
-
-* The `weptxkey` indicates which WEP key will be used in the transmission. This example uses the third key as key numbering starts with `1`. This parameter must be specified in order to encrypt the data.
-* The `wepkey` sets the selected WEP key. It should be in the format _index:key_. If the index is not given, key `1` is set. The index needs to be set when using keys other than the first key.
-
-Use man:ifconfig[8] to see the status of the [.filename]#wlan0# interface:
-
-[source,shell]
-....
-# ifconfig wlan0
- wlan0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
- ether 00:11:95:c3:0d:ac
- inet 192.168.0.1 netmask 0xffffff00 broadcast 192.168.0.255
- media: IEEE 802.11 Wireless Ethernet autoselect mode 11g <hostap>
- status: running
- ssid freebsdap channel 4 (2427 Mhz 11g) bssid 00:11:95:c3:0d:ac
- country US ecm authmode OPEN privacy ON deftxkey 3 wepkey 3:40-bit
- txpower 21.5 scanvalid 60 protmode CTS wme burst dtimperiod 1 -dfs
-....
-
-From another wireless machine, it is now possible to initiate a scan to find the AP:
-
-[source,shell]
-....
-# ifconfig wlan0 create wlandev ath0
-# ifconfig wlan0 up scan
-SSID BSSID CHAN RATE S:N INT CAPS
-freebsdap 00:11:95:c3:0d:ac 1 54M 22:1 100 EPS
-....
-
-In this example, the client machine found the AP and can associate with it using the correct parameters.
-See <<network-wireless-wep>> for more details.
-
-=== Using Both Wired and Wireless Connections
-
-A wired connection provides better performance and reliability, while a wireless connection provides flexibility and mobility.
-Laptop users typically want to roam seamlessly between the two types of connections.
-
-On FreeBSD, it is possible to combine two or even more network interfaces together in a "failover" fashion.
-This type of configuration uses the most preferred and available connection from a group of network interfaces, and the operating system switches automatically when the link state changes.
-
-Link aggregation and failover is covered in <<network-aggregation>> and an example for using both wired and wireless connections is provided at <<networking-lagg-wired-and-wireless>>.
-
-=== Troubleshooting
-
-This section describes a number of steps to help troubleshoot common wireless networking problems.
-
-* If the access point is not listed when scanning, check that the configuration has not limited the wireless device to a limited set of channels.
-* If the device cannot associate with an access point, verify that the configuration matches the settings on the access point. This includes the authentication scheme and any security protocols. Simplify the configuration as much as possible. If using a security protocol such as WPA or WEP, configure the access point for open authentication and no security to see if traffic will pass.
-+
-Debugging support is provided by man:wpa_supplicant[8]. Try running this utility manually with `-dd` and look at the system logs.
-* Once the system can associate with the access point, diagnose the network configuration using tools like man:ping[8].
-* There are many lower-level debugging tools. Debugging messages can be enabled in the 802.11 protocol support layer using man:wlandebug[8]. For example, to enable console messages related to scanning for access points and the 802.11 protocol handshakes required to arrange communication:
-+
-[source,shell]
-....
-# wlandebug -i wlan0 +scan+auth+debug+assoc
- net.wlan.0.debug: 0 => 0xc80000<assoc,auth,scan>
-....
-+
-Many useful statistics are maintained by the 802.11 layer and `wlanstats`, found in [.filename]#/usr/src/tools/tools/net80211#, will dump this information.
-These statistics should display all errors identified by the 802.11 layer.
-However, some errors are identified in the device drivers that lie below the 802.11 layer so they may not show up.
-To diagnose device-specific problems, refer to the driver documentation.
-
-If the above information does not help to clarify the problem, submit a problem report and include output from the above tools.
-
[[network-usb-tethering]]
== USB Tethering
@@ -2742,255 +2182,6 @@ The `BUGS` sections in man:tftpd[8] and man:tftp[1] document some limitations wi
....
****
-[[network-ipv6]]
-== IPv6
-
-IPv6 is the new version of the well known IP protocol, also known as IPv4.
-IPv6 provides several advantages over IPv4 as well as many new features:
-
-* Its 128-bit address space allows for 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses. This addresses the IPv4 address shortage and eventual IPv4 address exhaustion.
-* Routers only store network aggregation addresses in their routing tables, thus reducing the average space of a routing table to 8192 entries. This addresses the scalability issues associated with IPv4, which required every allocated block of IPv4 addresses to be exchanged between Internet routers, causing their routing tables to become too large to allow efficient routing.
-
-* Address autoconfiguration (http://www.ietf.org/rfc/rfc2462.txt[RFC2462]).
-* Mandatory multicast addresses.
-* Built-in IPsec (IP security).
-* Simplified header structure.
-* Support for mobile IP.
-* IPv6-to-IPv4 transition mechanisms.
-
-FreeBSD includes the http://www.kame.net/[http://www.kame.net/] IPv6 reference implementation and comes with everything needed to use IPv6.
-This section focuses on getting IPv6 configured and running.
-
-=== Background on IPv6 Addresses
-
-There are three different types of IPv6 addresses:
-
-Unicast::
-A packet sent to a unicast address arrives at the interface belonging to the address.
-
-Anycast::
-These addresses are syntactically indistinguishable from unicast addresses but they address a group of interfaces.
-The packet destined for an anycast address will arrive at the nearest router interface.
-Anycast addresses are only used by routers.
-
-Multicast::
-These addresses identify a group of interfaces.
-A packet destined for a multicast address will arrive at all interfaces belonging to the multicast group.
-The IPv4 broadcast address, usually `xxx.xxx.xxx.255`, is expressed by multicast addresses in IPv6.
-
-When reading an IPv6 address, the canonical form is represented as `x:x:x:x:x:x:x:x`, where each `x` represents a 16 bit hex value.
-An example is `FEBC:A574:382B:23C1:AA49:4592:4EFE:9982`.
-
-Often, an address will have long substrings of all zeros.
-A `::` (double colon) can be used to replace one substring per address.
-Also, up to three leading ``0``s per hex value can be omitted.
-For example, `fe80::1` corresponds to the canonical form `fe80:0000:0000:0000:0000:0000:0000:0001`.
-
-A third form is to write the last 32 bits using the well known IPv4 notation.
-For example, `2002::10.0.0.1` corresponds to the hexadecimal canonical representation `2002:0000:0000:0000:0000:0000:0a00:0001`, which in turn is equivalent to `2002::a00:1`.
-
-To view a FreeBSD system's IPv6 address, use man:ifconfig[8]:
-
-[source,shell]
-....
-# ifconfig
-....
-
-[.programlisting]
-....
-rl0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500
- inet 10.0.0.10 netmask 0xffffff00 broadcast 10.0.0.255
- inet6 fe80::200:21ff:fe03:8e1%rl0 prefixlen 64 scopeid 0x1
- ether 00:00:21:03:08:e1
- media: Ethernet autoselect (100baseTX )
- status: active
-....
-
-In this example, the [.filename]#rl0# interface is using `fe80::200:21ff:fe03:8e1%rl0`, an auto-configured link-local address which was automatically generated from the MAC address.
-
-Some IPv6 addresses are reserved.
-A summary of these reserved addresses is seen in <<reservedip6>>:
-
-[[reservedip6]]
-.Reserved IPv6 Addresses
-[cols="1,1,1,1", frame="none", options="header"]
-|===
-| IPv6 address
-| Prefixlength (Bits)
-| Description
-| Notes
-
-|`::`
-|128 bits
-|unspecified
-|Equivalent to `0.0.0.0` in IPv4.
-
-|`::1`
-|128 bits
-|loopback address
-|Equivalent to `127.0.0.1` in IPv4.
-
-|`::00:xx:xx:xx:xx`
-|96 bits
-|embedded IPv4
-|The lower 32 bits are the compatible IPv4 address.
-
-|`::ff:xx:xx:xx:xx`
-|96 bits
-|IPv4 mapped IPv6 address
-|The lower 32 bits are the IPv4 address for hosts which do not support IPv6.
-
-|`fe80::/10`
-|10 bits
-|link-local
-|Equivalent to 169.254.0.0/16 in IPv4.
-
-|`fc00::/7`
-|7 bits
-|unique-local
-|Unique local addresses are intended for local communication and are only routable within a set of cooperating sites.
-
-|`ff00::`
-|8 bits
-|multicast
-|
-
-|``2000::-3fff::``
-|3 bits
-|global unicast
-|All global unicast addresses are assigned from this pool. The first 3 bits are `001`.
-|===
-
-For further information on the structure of IPv6 addresses, refer to http://www.ietf.org/rfc/rfc3513.txt[RFC3513].
-
-=== Configuring IPv6
-
-To configure a FreeBSD system as an IPv6 client, add these two lines to [.filename]#rc.conf#:
-
-[.programlisting]
-....
-ifconfig_rl0_ipv6="inet6 accept_rtadv"
-rtsold_enable="YES"
-....
-
-The first line enables the specified interface to receive router advertisement messages.
-The second line enables the router solicitation daemon, man:rtsol[8].
-
-If the interface needs a statically assigned IPv6 address, add an entry to specify the static address and associated prefix length:
-
-[.programlisting]
-....
-ifconfig_rl0_ipv6="inet6 2001:db8:4672:6565:2026:5043:2d42:5344 prefixlen 64"
-....
-
-To assign a default router, specify its address:
-
-[.programlisting]
-....
-ipv6_defaultrouter="2001:db8:4672:6565::1"
-....
-
-=== Connecting to a Provider
-
-In order to connect to other IPv6 networks, one must have a provider or a tunnel that supports IPv6:
-
-* Contact an Internet Service Provider to see if they offer IPv6.
-* http://www.tunnelbroker.net[Hurricane Electric] offers tunnels with end-points all around the globe.
-
-[NOTE]
-====
-Install the package:net/freenet6[] package or port for a dial-up connection.
-====
-
-This section demonstrates how to take the directions from a tunnel provider and convert them into [.filename]#/etc/rc.conf# settings that will persist through reboots.
*** 3028 LINES SKIPPED ***