It took a little while to determine the root cause, but, ...
I am rebuilding an old windows workstation into a Linux based router/firewall/access-point using hostapd to provide wireless interfaces. Normally, this is a straight-forward configuration. The twist in this case is that I am using Open vSwitch to handle layer 2 functions. The box has an existing Atheros AR5B22 based PCIe 1 card with two antenna connections on the rear face. Which translates into a Qualcomm Atheros AR9462 chipset.
I added the wireless interface to OVS on vlan 10 with a command like:
ovs-vsctl add-port ovsbr0 wlp4s0 tag=10
I used a simple hosted configuration file like:
# cat /etc/hostapd/hostapd.conf interface=wlp4s0 driver=nl80211 ssid=test auth_algs=1 wpa=1 #wpa_psk_file=/etc/hostapd/hostapd.psk wpa_passphrase=testtest wpa_key_mgmt=WPA-PSK wpa_pairwise=CCMP TKIP rsn_pairwise=CCMP
When running in debug mode:
hostapd -d -K -t /etc/hostapd/hostapd.conf
I was seeing EAPoL (Extensible Authentication Protocol over LAN) based retries. It took some research to come across the interaction about openvswitch and hostapd. Bottom line, is that hostapd uses a control channel to control the wireless device. EAPoL is a packet based function. AS such, hostapd needs to monitor the packets to pick out the EAPoL packets. A mechanism is built in for working with regular Linux bridged networking. That code does not work with Open vSwitch. Someone created a patch to work around the issue.
This patch isn't found in mainline hostapd, nor as a patch in the Debian repository. So... I need to apply it manually. I used the documentation found at Debian Building Tutorial as a starting point. The divergence is that the documentation uses a non-functional, deprecated tool called dpatch. I used quilt to handle patching.
As a sidebar, this server I am building uses LXC containers to segregate functionality, compartmentalise security, and to make it easier to keep the main install minimal. As patching and rebuilding the package requires a bunch of build tools, the tools can be easily installed, and then the whole build environment deleted when complete.
The annotated series of steps. I have a number of commented-out entries which I plan to play with later, once I understand more the nuances. One thing, there appears to be a lock out of 5gig frequencies when acting as a host.
apt update apt install build-essential fakeroot devscripts # install tools apt-get source hostapd #obtain source # review the source directory, then apt-get build-dep wpa # install the build dependencies cd wpa-2.4/ debuild -b -uc -us # build with existing source dpkg -i ../hostapd_2.4-1_amd64.deb # install the package as a test apt install quilt # install patch manager quilt top # inspect the current latest patch ls -alt debian/patches/ # most patches kept here ls -alt patches/ # some are here as well quilt new rpb_hostapd_openvswitch # create a new patch # in the following edit, I removed the content, and pasted the source from # https://github.com/helmut-jacob/hostapd/blob/master/src/drivers/linux_ioctl.c quilt edit src/drivers/linux_ioctl.c # source file to change, leave function linux_master_get in place quilt refresh # refresh quilt top # my new patch is at the top cat debian/patches/rpb_hostapd_openvswitch |less # this is my patch quilt diff # show the diff colorized quilt push # add the patch to the list of patches dch -n # update the changelog and version debuild -b -uc -us # build with the new patch # the patch can then be applied and tested (direct from the lxc container): dpkg -i /var/lib/lxc/apd/rootfs/usr/src/hostapd_2.4-1.1_amd64.deb
With the patch, clients can now successfully associate and authenticate with hostapd when the wireless port is connected to an Open vSwitch bridge.
hostapd sample configurations:
- Hostapd: from a Gentoo perspective, with an intro to multiple AP and some references to 802.11ac with DFS
- CRDA Regulatory Code - getting hostapd to run in the 5g bands
- Edison AP mode in 5GHz - putting two and two together
- w1.fi hostapd.conf example
- hostapd docs which include some 802.1x suggestions and for running with segregated plans. freeradius is also needed when running 802.1x style configurations as the radius protocol is used for communicating the configurations to end devices.
- simple hostapd/radius config
- openwrt / openvswitch: background information on the hostapd / openvswitch issue
- OpenFlow Isolation: use openflow / openvswitch to isolate wifi networks and users, which is an improvement on the psk per user and 802.1x per user vlan. with ovs-ofctl examples
- MAC address spoofing, and since the pre-shared key in a previous step might be MAC based, here is a way to get around the limitation.
- hostapd and dhcp: simple wifi config
- SDN: Establishing a Session Database for SDN Using 802.1X and Multiple Authentication Resources -- interesting presentation on open flow, 802.1x, sdn, radius, ...
- Ath9k Chipsets
2018/09/16 Other configs (for 5ghz):
- My Wi-Fi access point revisited
- ArchLinux - [AR9390][ath9k][hostapd] No SSID in the air
- Hostapd much slower than expected
2020/08/21 From the mailing list:
For "normal" wifi you can't simply bridge the wlan interface of the client. You can bridge it on the AP. This is, because in wifi you don't have a source-MAC and a destination-MAC, but also a transmitter-MAC and a receiver-MAC. As an optimisation, in ap2sta direction the destination and the receiver are a single field. In sta2ap direction, the source and the transmitter are a single fieldTake a look at 4addr mode which solves the issue by having actually all 4 fields. This is a linux specific implementation and may not be available on all types of cards.
An alternative would be to have a routed connection between the two devices and bridge your ovs-instances via GRETAP.
2020/12/09 - some additional settings and notes - on Debian hostapd gets installed with out a configuration file. Once the configuration file is in place, run the following to auto-start hostapd:
- sudo systemctl unmask hostapd
- sudo systemctl enable hostapd
- sudo systemctl start hostapd
The commands are from: Failed to start hostapd.service: Unit hostapd.service is masked. #1018
Another note: many/most/all Intel adapters are designed for client side operations. Use an ath5k/ath9k/ath10k adapters for server/host side operations. The key aspect here is that the channel=0 entry in the configuration file will result in errors and exit of hostapd as it cannot find survey data when mapping the channels. The channel parameter needs to be set to 1, 7, or 11 (non overlapping channels). For example:
ACS: Unable to collect survey data ACS: All study options have failed Interface initialization failed
Some interesting points from Intel Wireless 7260 as an access point:
- First, the card is said “dual-band” but you can only uses one band at a time because there is only one radio. Almost all wireless cards have this limitation. If you want to use both the 2.4 GHz band and the less crowded 5 GHz band, two cards are usually needed.