# hostapd with bridge

## Rocky007

Hello,

i'm just bought an "TP-Link TL-WN881ND WL300MBit PCIe" for creating an Access Point.

Now my question is, can this be done, without the netifrc as I'm just using dhcpcd for the connection.

Also i've just found tutorials/manuals with netifrc and used with a bridged interface.

Currently my server is behind a FritzBox which has DHCP enabled and the enp7s0 is set statically.

How would i now set this up?

Later on i like to let the server self run DHCP and DNS how would it be configured there?

Thanks,

Rocky007Last edited by Rocky007 on Sun Feb 04, 2018 4:12 pm; edited 1 time in total

----------

## bunder

DNS would be configured via DHCP when the time comes. 

edit: its preferable that you run dhcpd from the machine you're running hostapd on.

/etc/dhcp/dhcpd.conf

```

default-lease-time 3600; # one hour

max-lease-time 14400; # four hours

ddns-update-style none;

ignore client-updates;

authoritative;

option domain-name "mydomain.ca";

option domain-search "mydomain.ca";

option domain-name-servers 192.168.1.16;

option ntp-servers 192.168.1.16;

subnet 192.168.0.0 netmask 255.255.255.0

{

        option subnet-mask 255.255.255.0;

        option routers 192.168.0.1;

        range dynamic-bootp 192.168.0.100 192.168.0.200;

        host 1 {

                hardware ethernet 74:D4:35:xx:xx:xx;

                fixed-address 192.168.0.11;

                option host-name "computer";

        }

}

```

To answer your question about hostapd interface, you don't need to use a bridge interface, wlan0 or en-whatever should be good.

----------

## Rocky007

Do you have an example config for

/etc/dhcpcd/dhcpcd.conf

/etc/hostapd/hostapd.conf

The interface to master (AP) mode

and what else is necessary

----------

## bunder

 *Rocky007 wrote:*   

> Do you have an example config for
> 
> /etc/dhcpcd/dhcpcd.conf
> 
> /etc/hostapd/hostapd.conf
> ...

 

dhcpcd is for clients, as in, your router grabbing an IP from your modem, or your computers asking for an IP from the router, a configuration typically isn't needed.  As for hostapd, I recommend https://wiki.gentoo.org/wiki/Hostapd .

----------

## Rocky007

Hi,

now i've configured an ip via dhcpcd for the network card.

also when starting with "hostapd -dd /etc/hostapd/hostapd.conf" the ip is assigned to it and the state goes to up.

But when trying to execute "/etc/init.d/hostapd start" it says "* ERROR: hostapd needs service(s) net.wlp10s0", which i think is related to the netifrc...

How can i use it without netifrc and just dhcpcd?

And do i need a bridge or is it just fine without...

Here are some logs:

```

allow-hotplug wlp10s0

interface wlp10s0

static ip_address=192.168.178.30/24

static routers=192.168.178.1

static domain_name_servers=192.168.178.1

```

```

4: wlp10s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

    link/ether 50:3e:aa:5f:30:56 brd ff:ff:ff:ff:ff:ff

    inet 192.168.178.30/24 brd 192.168.178.255 scope global wlp10s0

       valid_lft forever preferred_lft forever

```

```

iptables -A FORWARD -i enp7s0 -o wlp10s0 -j ACCEPT

iptables -A FORWARD -i wlp10s0 -o enp7s0 -j ACCEPT

```

```

Kernel IP Routentabelle

Ziel            Router          Genmask         Flags Metric Ref    Use Iface

0.0.0.0         192.168.178.1   0.0.0.0         UG    202    0        0 enp7s0

0.0.0.0         192.168.178.1   0.0.0.0         UG    304    0        0 wlp10s0

10.100.0.0      10.100.0.2      255.255.255.0   UG    0      0        0 tun0

10.100.0.2      0.0.0.0         255.255.255.255 UH    0      0        0 tun0

192.168.178.0   0.0.0.0         255.255.255.0   U     202    0        0 enp7s0

192.168.178.0   0.0.0.0         255.255.255.0   U     304    0        0 wlp10s0

```

```

Feb  2 19:35:38 sg1 dhcpcd[28271]: wlp10s0: carrier acquired

Feb  2 19:35:38 sg1 dhcpcd[28271]: wlp10s0: IAID aa:5f:30:56

Feb  2 19:35:38 sg1 dhcpcd[28271]: wlp10s0: probing address 192.168.178.30/24

Feb  2 19:35:43 sg1 dhcpcd[28271]: wlp10s0: using static address 192.168.178.30/24

Feb  2 19:35:43 sg1 dhcpcd[28271]: wlp10s0: adding route to 192.168.178.0/24

Feb  2 19:35:43 sg1 dhcpcd[28271]: wlp10s0: adding default route via 192.168.178.1

Feb  2 19:35:44 sg1 ntpd[5508]: Listen normally on 13 wlp10s0 192.168.178.30:123

Feb  2 19:38:15 sg1 dhcpcd[28271]: wlp10s0: carrier lost

Feb  2 19:38:15 sg1 dhcpcd[28271]: wlp10s0: deleting route to 192.168.178.0/24

Feb  2 19:38:15 sg1 dhcpcd[28271]: wlp10s0: deleting default route via 192.168.178.1

Feb  2 19:38:16 sg1 ntpd[5508]: Deleting interface #13 wlp10s0, 192.168.178.30#123, interface stats: received=0, sent=0, dropped=0, active_time=152 secs

```

```

random: Trying to read entropy from /dev/random

Configuration file: /etc/hostapd/hostapd.conf

nl80211: Supported cipher 00-0f-ac:1

nl80211: Supported cipher 00-0f-ac:5

nl80211: Supported cipher 00-0f-ac:2

nl80211: Supported cipher 00-0f-ac:4

nl80211: Supported cipher 00-0f-ac:10

nl80211: Supported cipher 00-0f-ac:8

nl80211: Supported cipher 00-0f-ac:9

nl80211: Supported cipher 00-0f-ac:6

nl80211: Supported cipher 00-0f-ac:13

nl80211: Supported cipher 00-0f-ac:11

nl80211: Supported cipher 00-0f-ac:12

nl80211: Using driver-based off-channel TX

nl80211: Driver-advertised extended capabilities (default) - hexdump(len=8): 00 00 00 00 00 00 00 40

nl80211: Driver-advertised extended capabilities mask (default) - hexdump(len=8): 00 00 00 00 00 00 00 40

nl80211: interface wlp10s0 in phy phy0

nl80211: Set mode ifindex 4 iftype 3 (AP)

nl80211: Setup AP(wlp10s0) - device_ap_sme=0 use_monitor=0

nl80211: Subscribe to mgmt frames with AP handle 0x559171567a70

nl80211: Register frame type=0xb0 (WLAN_FC_STYPE_AUTH) nl_handle=0x559171567a70 match=

nl80211: Register frame type=0x0 (WLAN_FC_STYPE_ASSOC_REQ) nl_handle=0x559171567a70 match=

nl80211: Register frame type=0x20 (WLAN_FC_STYPE_REASSOC_REQ) nl_handle=0x559171567a70 match=

nl80211: Register frame type=0xa0 (WLAN_FC_STYPE_DISASSOC) nl_handle=0x559171567a70 match=

nl80211: Register frame type=0xc0 (WLAN_FC_STYPE_DEAUTH) nl_handle=0x559171567a70 match=

nl80211: Register frame type=0x40 (WLAN_FC_STYPE_PROBE_REQ) nl_handle=0x559171567a70 match=

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=04

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=0501

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=0504

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=06

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=08

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=09

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=0a

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=11

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=12

nl80211: Register frame type=0xd0 (WLAN_FC_STYPE_ACTION) nl_handle=0x559171567a70 match=7f

rfkill: initial event: idx=0 type=1 op=0 soft=0 hard=0

nl80211: Add own interface ifindex 4 (ifidx_reason -1)

nl80211: if_indices[16]: 4(-1)

phy: phy0

BSS count 1, BSSID mask 00:00:00:00:00:00 (0 bits)

wlp10s0: interface state UNINITIALIZED->COUNTRY_UPDATE

Previous country code DE, new country code DE 

nl80211: Regulatory information - country=DE (DFS-ETSI)

nl80211: 2400-2483 @ 40 MHz 20 mBm

nl80211: 5150-5250 @ 80 MHz 20 mBm (no outdoor)

nl80211: 5250-5350 @ 80 MHz 20 mBm (no outdoor) (DFS)

nl80211: 5470-5725 @ 160 MHz 26 mBm (DFS)

nl80211: 5725-5875 @ 80 MHz 13 mBm

nl80211: 57000-66000 @ 2160 MHz 40 mBm

nl80211: Added 802.11b mode based on 802.11g information

Allowed channel: mode=1 chan=1 freq=2412 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=2 freq=2417 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=3 freq=2422 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=4 freq=2427 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=5 freq=2432 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=6 freq=2437 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=7 freq=2442 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=8 freq=2447 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=9 freq=2452 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=10 freq=2457 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=11 freq=2462 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=12 freq=2467 MHz max_tx_power=20 dBm

Allowed channel: mode=1 chan=13 freq=2472 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=1 freq=2412 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=2 freq=2417 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=3 freq=2422 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=4 freq=2427 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=5 freq=2432 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=6 freq=2437 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=7 freq=2442 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=8 freq=2447 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=9 freq=2452 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=10 freq=2457 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=11 freq=2462 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=12 freq=2467 MHz max_tx_power=20 dBm

Allowed channel: mode=0 chan=13 freq=2472 MHz max_tx_power=20 dBm

hw vht capab: 0x0, conf vht capab: 0x0

Completing interface initialization

Mode: IEEE 802.11g  Channel: 1  Frequency: 2412 MHz

DFS 0 channels required radar detection

nl80211: Set freq 2412 (ht_enabled=1, vht_enabled=0, bandwidth=20 MHz, cf1=2412 MHz, cf2=0 MHz)

  * freq=2412

  * vht_enabled=0

  * ht_enabled=1

  * sec_channel_offset=0

  * channel_type=1

RATE[0] rate=10 flags=0x1

RATE[1] rate=20 flags=0x1

RATE[2] rate=55 flags=0x1

RATE[3] rate=110 flags=0x1

RATE[4] rate=60 flags=0x0

RATE[5] rate=90 flags=0x0

RATE[6] rate=120 flags=0x0

RATE[7] rate=180 flags=0x0

RATE[8] rate=240 flags=0x0

RATE[9] rate=360 flags=0x0

RATE[10] rate=480 flags=0x0

RATE[11] rate=540 flags=0x0

hostapd_setup_bss(hapd=0x559171568520 (wlp10s0), first=1)

wlp10s0: Flushing old station entries

nl80211: flush -> DEL_STATION wlp10s0 (all)

wlp10s0: Deauthenticate all stations

nl80211: send_mlme - da= ff:ff:ff:ff:ff:ff noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0xc0 (WLAN_FC_STYPE_DEAUTH) nlmode=3

nl80211: send_mlme -> send_frame

nl80211: send_frame - Use bss->freq=2412

nl80211: send_frame -> send_frame_cmd

nl80211: CMD_FRAME freq=2412 wait=0 no_cck=0 no_ack=0 offchanok=0

CMD_FRAME - hexdump(len=26): c0 00 00 00 ff ff ff ff ff ff 50 3e aa 5f 30 56 50 3e aa 5f 30 56 00 00 02 00

nl80211: Frame command failed: ret=-16 (Device or resource busy) (freq=2412 wait=0)

wpa_driver_nl80211_set_key: ifindex=4 (wlp10s0) alg=0 addr=(nil) key_idx=0 set_tx=0 seq_len=0 key_len=0

wpa_driver_nl80211_set_key: ifindex=4 (wlp10s0) alg=0 addr=(nil) key_idx=1 set_tx=0 seq_len=0 key_len=0

wpa_driver_nl80211_set_key: ifindex=4 (wlp10s0) alg=0 addr=(nil) key_idx=2 set_tx=0 seq_len=0 key_len=0

wpa_driver_nl80211_set_key: ifindex=4 (wlp10s0) alg=0 addr=(nil) key_idx=3 set_tx=0 seq_len=0 key_len=0

Using interface wlp10s0 with hwaddr 50:3e:aa:5f:30:56 and ssid "SG1"

Deriving WPA PSK based on passphrase

SSID - hexdump_ascii(len=3):

     53 47 31                                          SG1             

PSK (ASCII passphrase) - hexdump_ascii(len=8): [REMOVED]

PSK (from passphrase) - hexdump(len=32): [REMOVED]

random: Got 20/20 bytes from /dev/random

Get randomness: len=32 entropy=0

GMK - hexdump(len=32): [REMOVED]

Get randomness: len=32 entropy=0

Key Counter - hexdump(len=32): [REMOVED]

WPA: Delay group state machine start until Beacon frames have been configured

VLAN: vlan_set_name_type(name_type=2)

nl80211: Set beacon (beacon_set=0)

nl80211: Beacon head - hexdump(len=54): 80 00 00 00 ff ff ff ff ff ff 50 3e aa 5f 30 56 50 3e aa 5f 30 56 00 00 00 00 00 00 00 00 00 00 64 00 11 04 00 03 53 47 31 01 08 82 84 8b 96 0c 12 18 24 03 01 01

nl80211: Beacon tail - hexdump(len=127): 07 06 44 45 20 01 0d 14 2a 01 04 32 04 30 48 60 6c 30 14 01 00 00 0f ac 04 01 00 00 0f ac 04 01 00 00 0f ac 02 0c 00 2d 1a 0c 00 1f ff ff 00 00 01 00 00 00 00 00 2c 01 01 00 00 00 00 00 00 00 00 00 00 3d 16 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 7f 08 00 00 00 02 00 00 00 40 dd 18 00 50 f2 02 01 01 00 00 03 a4 00 00 27 a4 00 00 42 43 5e 00 62 32 2f 00

nl80211: ifindex=4

nl80211: beacon_int=100

nl80211: dtim_period=2

nl80211: ssid - hexdump_ascii(len=3):

     53 47 31                                          SG1             

  * beacon_int=100

  * dtim_period=2

nl80211: hidden SSID not in use

nl80211: privacy=1

nl80211: auth_algs=0x1

nl80211: wpa_version=0x2

nl80211: key_mgmt_suites=0x2

nl80211: pairwise_ciphers=0x10

nl80211: group_cipher=0x10

nl80211: SMPS mode - off

nl80211: beacon_ies - hexdump(len=10): 7f 08 00 00 00 02 00 00 00 40

nl80211: proberesp_ies - hexdump(len=10): 7f 08 00 00 00 02 00 00 00 40

nl80211: assocresp_ies - hexdump(len=10): 7f 08 00 00 00 02 00 00 00 40

WPA: Start group state machine to set initial keys

WPA: group state machine entering state GTK_INIT (VLAN-ID 0)

Get randomness: len=16 entropy=0

GTK - hexdump(len=16): [REMOVED]

WPA: group state machine entering state SETKEYSDONE (VLAN-ID 0)

wpa_driver_nl80211_set_key: ifindex=4 (wlp10s0) alg=3 addr=0x55916fde9221 key_idx=1 set_tx=1 seq_len=0 key_len=16

nl80211: KEY_DATA - hexdump(len=16): [REMOVED]

   broadcast key

nl80211: Set wlp10s0 operstate 0->1 (UP)

netlink: Operstate: ifindex=4 linkmode=-1 (no change), operstate=6 (IF_OPER_UP)

wlp10s0: interface state COUNTRY_UPDATE->ENABLED

wlp10s0: AP-ENABLED 

wlp10s0: Setup of interface done.

ctrl_iface not configured!

VLAN: RTM_NEWLINK: ifi_index=4 ifname=wlp10s0 ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])

VLAN: vlan_newlink(wlp10s0)

RTM_NEWLINK: ifi_index=4 ifname=wlp10s0 operstate=6 linkmode=0 ifi_family=0 ifi_flags=0x11043 ([UP][RUNNING][LOWER_UP])

Signal 2 received - terminating

hostapd_interface_deinit_free(0x559171567020)

hostapd_interface_deinit_free: num_bss=1 conf->num_bss=1

hostapd_interface_deinit(0x559171567020)

wlp10s0: interface state ENABLED->DISABLED

hostapd_bss_deinit: deinit bss wlp10s0

wlp10s0: Deauthenticate all stations

nl80211: send_mlme - da= ff:ff:ff:ff:ff:ff noack=0 freq=0 no_cck=0 offchanok=0 wait_time=0 fc=0xc0 (WLAN_FC_STYPE_DEAUTH) nlmode=3

nl80211: send_mlme -> send_frame

nl80211: send_frame - Use bss->freq=2412

nl80211: send_frame -> send_frame_cmd

nl80211: CMD_FRAME freq=2412 wait=0 no_cck=0 no_ack=0 offchanok=0

CMD_FRAME - hexdump(len=26): c0 00 00 00 ff ff ff ff ff ff 50 3e aa 5f 30 56 50 3e aa 5f 30 56 00 00 03 00

nl80211: Frame TX command accepted; cookie 0x27

wlp10s0: AP-DISABLED 

hostapd_cleanup(hapd=0x559171568520 (wlp10s0))

hostapd_free_hapd_data(wlp10s0)

hostapd_interface_deinit_free: driver=0x559170052c60 drv_priv=0x5591715691b0 -> hapd_deinit

nl80211: deinit ifname=wlp10s0 disabled_11b_rates=0

nl80211: Remove monitor interface: refcount=0

nl80211: Remove beacon (ifindex=4)

netlink: Operstate: ifindex=4 linkmode=0 (kernel-control), operstate=6 (IF_OPER_UP)

nl80211: Set mode ifindex 4 iftype 2 (STATION)

nl80211: Teardown AP(wlp10s0) - device_ap_sme=0 use_monitor=0

nl80211: Unsubscribe mgmt frames handle 0x8888dd19f9def2f9 (AP teardown)

hostapd_interface_free(0x559171567020)

hostapd_interface_free: free hapd 0x559171568520

hostapd_cleanup_iface(0x559171567020)

hostapd_cleanup_iface_partial(0x559171567020)

hostapd_cleanup_iface: free iface=0x559171567020

```

----------

## bbgermany

Hi,

I have  hostapd running in bridge mode with vlan support. If you like to get my config to adapt it to your config, just let me know. I will post it here.

greets, bb

----------

## Rocky007

Hi bbgermany,

would be great to see your config  :Smile: 

----------

## bbgermany

Hi,

I have two wireless cards and just one ethernet interface. First wireless card is an onboard mini-pci atheros card with ath9k driver. The second card is an usb adapter based on carl9170 chip. 

Here are my config files (without passwords  :Wink: ):

/etc/conf.d/net

```

vlans_enp2s0="1 2"

config_enp2s0="null"

config_enp2s0_1="null"

config_enp2s0_2="null"

config_brvlan1="192.168.23.221/24"

routes_brvlan1="default via 192.168.23.254"

config_brvlan2="192.168.0.200/24"

routes_brvlan2="default via 192.168.0.254"

dns_domain_lo="domain.tld"

dns_servers_lo="192.168.23.254"

dns_search_lo="domain.tld"

# brctl_brvlan1="setfd 0 sethello 10 stp on"

bridge_forward_delay_brvlan1=0

bridge_hello_time_brvlan1=1000

bridge_stp_state_brvlan1=1

bridge_brvlan1="enp2s0.1"

# brctl_brvlan2="setfd 0 sethello 10 stp on"

bridge_forward_delay_brvlan2=0

bridge_hello_time_brvlan2=1000

bridge_stp_state_brvlan2=1

bridge_brvlan2="enp2s0.2"

config_wlp3s4="null"

modules_wlp3s4="!wpa_supplicant !iwconfig"

config_wlp0s29f7u4="null"

modules_wlp0s29f7u4="!wpa_supplicant !iwconfig"

rc_net_brvlan1_need="net.enp2s0"

rc_net_brvlan2_need="net.enp2s0"

preup() {

        COUNTRY=DE crda

        rfkill unblock all

        iw reg set DE

}

```

Since I have two wlans, one for my internal use and one for my guests, I have two config files:

internal config, 2.4GHz wireless N supported with 40MHz channel bandwidth:

```

bridge=brvlan1

interface=wlp3s4

driver=nl80211

ssid=<my ssid>

channel=6

ignore_broadcast_ssid=0

country_code=DE

ieee80211d=1

hw_mode=g

ieee80211n=1

ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][RX-STBC1][MAX-AMSDU-3839]

beacon_int=100

dtim_period=2

macaddr_acl=0

max_num_sta=10

ap_max_inactivity=1200

rts_threshold=2347

fragm_threshold=2346

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

auth_algs=1

wpa=2

rsn_preauth=1

rsn_preauth_interfaces=wlp3s4

wpa_key_mgmt=WPA-PSK

rsn_pairwise=CCMP TKIP

wpa_pairwise=CCMP TKIP

wpa_group_rekey=600

wpa_ptk_rekey=600

wpa_gmk_rekey=86400

wpa_passphrase=<preshared key>

```

for my guests, i have the following config, 5.5MBits only:

```

bridge=brvlan2

interface=wlp0s29f7u4

driver=nl80211

ssid=guest_wlan

channel=1

ignore_broadcast_ssid=0

country_code=DE

ieee80211d=1

ieee80211h=1

hw_mode=g

ieee80211n=0

supported_rates=10 20 55

basic_rates=10 20 55

ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][RX-STBC1][MAX-AMSDU-3839]

beacon_int=100

dtim_period=2

macaddr_acl=0

max_num_sta=10

ap_max_inactivity=1200

rts_threshold=2347

fragm_threshold=2346

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

auth_algs=1

wpa=2

rsn_preauth=1

rsn_preauth_interfaces=wlp0s29f7u4

wpa_key_mgmt=WPA-PSK

rsn_pairwise=CCMP TKIP

wpa_pairwise=CCMP TKIP

wpa_group_rekey=600

wpa_ptk_rekey=600

wpa_gmk_rekey=86400

wpa_passphrase=<preshared key>

```

/etc/conf.d/hostapd is looking like this:

```

# Space separated List of interfaces which needs to be started before

# hostapd

INTERFACES="brvlan1 brvlan2 wlp3s4 wlp0s29f7u4"

# Space separated list of configuration files

CONFIGS="/etc/hostapd/hostapd_intern.conf /etc/hostapd/hostapd_extern.conf"

# Extra options to pass to hostapd, see hostapd(8)

OPTIONS=""

```

Since in Germany its not quite easy with free wlan access, i still have a key for the guest wlan. I used an article out of the heise ct (german it magazine) for creating a wlan ap with a changing password. 

```

#!/bin/bash

WLANPSK=$(dd if=/dev/urandom count=1 status=none | tr -d -c 'a-z' | cut -b1-10)

sed -i "s/wpa_passphrase=.*/wpa_passphrase=${WLANPSK}/" /etc/hostapd/hostapd_extern.conf

/etc/init.d/hostapd restart

qrencode -t PNG -o /tmp/android.png -s 4 "WIFI:T:WPA;S:guest_wlan;P:${WLANPSK};H:false;"

qrencode -t PNG -o /tmp/windows.png -s 4 "WIFI;T:WPA;S:guest_wlan;P:${WLANPSK};H:false;"

sed -e "s/<string>wlanpsk/<string>${WLANPSK}/" /usr/local/etc/guestwlan.mobileconfig.in > /tmp/mobileconfig

scp /tmp/mobileconfig root@webserver:/var/www/html/wlan

qrencode -t PNG -o /tmp/ios.png -s 4 "https://<hostname>/wlan/mobileconfig"

scp /tmp/*.png root@webserver:/var/www/html/wlan

```

guestwlan.mobileconfig.in

```

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<plist version="1.0">

<dict>

<key>PayloadContent</key>

<array>

<dict>

<key>EncryptionType</key>

<string>Any</string>

<key>HIDDEN_NETWORK</key>

<false/>

<key>Password</key>

<string>wlanpsk</string>

<key>PayloadIdentifier</key>

<string>tld.domain.wlan</string>

<key>PayloadType</key>

<string>com.apple.wifi.managed</string>

<key>PayloadUUID</key>

<string>gast_wlan</string>

<key>PayloadVersion</key>

<integer>1</integer>

<key>SSID_STR</key>

<string>guest_wlan</string>

</dict>

</array>

<key>PayloadDescription</key>

<string>Profile, for connecting to the guest wlan.</string>

<key>PayloadDisplayName</key>

<string>WLAN: guest_wlan</string>

<key>PayloadIdentifier</key>

<string>tld.domain</string>

<key>PayloadOrganization</key>

<string>DOMAIN</string>

<key>PayloadType</key>

<string>Configuration</string>

<key>PayloadUUID</key>

<string>guest_wlan</string>

<key>PayloadVersion</key>

<integer>1</integer>

</dict>

</plist>

```

I hope this helps a bit. If you have further questions, just ask.

greets, bb

----------

## Rocky007

I'm not managing to get an ip address form dhcp with nmap i only get answer on 1 vlan (br0.2 192.168.2.0/24)

I configured the following now:

/etc/conf.d/net

```

config_enp6s0="192.168.178.29/24"

routes_enp6s0="default via 192.168.178.1"

dns_servers_enp6s0="localhost 192.168.178.1"

config_enp7s0="null"

modules_wlp10s0="!iwconfig !wpa_supplicant"

config_wlp10s0="null"

bridge_br0="enp7s0"

rc_net_br0_need="net.enp7s0"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

vlans_br0="1 2"

config_br0="null"

config_br0_1="192.168.1.1/24"

config_br0_2="192.168.2.1/24"

preup() {

        rfkill unblock all

}

```

/etc/conf.d/dhcpd

```

DHCPD_IFACE="br0.1 br0.2"

```

/etc/conf.d/hostapd

```

INTERFACES="br0.1 br0.2"

```

ip addr

```

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1

    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00

    inet 127.0.0.1/8 brd 127.255.255.255 scope host lo

       valid_lft forever preferred_lft forever

    inet6 ::1/128 scope host

       valid_lft forever preferred_lft forever

2: enp7s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0 state UP group default qlen 1000

    link/ether 1c:1b:0d:9e:18:27 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::1e1b:dff:fe9e:1827/64 scope link

       valid_lft forever preferred_lft forever

3: enp6s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000

    link/ether 1c:1b:0d:9e:18:25 brd ff:ff:ff:ff:ff:ff

    inet 192.168.178.29/24 brd 192.168.178.255 scope global enp6s0

       valid_lft forever preferred_lft forever

    inet6 fe80::1e1b:dff:fe9e:1825/64 scope link

       valid_lft forever preferred_lft forever

4: wlp10s0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state DOWN group default qlen 1000

    link/ether 50:3e:aa:5f:30:56 brd ff:ff:ff:ff:ff:ff

5: sit0@NONE: <NOARP> mtu 1480 qdisc noop state DOWN group default qlen 1

    link/sit 0.0.0.0 brd 0.0.0.0

6: br0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

    link/ether 1c:1b:0d:9e:18:27 brd ff:ff:ff:ff:ff:ff

    inet6 fe80::1e1b:dff:fe9e:1827/64 scope link

       valid_lft forever preferred_lft forever

7: br0.1@br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

    link/ether 1c:1b:0d:9e:18:27 brd ff:ff:ff:ff:ff:ff

    inet 192.168.1.1/24 brd 192.168.1.255 scope global br0.1

       valid_lft forever preferred_lft forever

    inet6 fe80::1e1b:dff:fe9e:1827/64 scope link

       valid_lft forever preferred_lft forever

8: br0.2@br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000

    link/ether 1c:1b:0d:9e:18:27 brd ff:ff:ff:ff:ff:ff

    inet 192.168.2.1/24 brd 192.168.2.255 scope global br0.2

       valid_lft forever preferred_lft forever

    inet6 fe80::1e1b:dff:fe9e:1827/64 scope link

       valid_lft forever preferred_lft forever

9: tun0: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UNKNOWN group default qlen 100

    link/none

    inet 10.100.0.1 peer 10.100.0.2/32 scope global tun0

       valid_lft forever preferred_lft forever

    inet6 fe80::4e7d:a348:9839:6ad/64 scope link stable-privacy

       valid_lft forever preferred_lft forever

```

iptables

```

f2b-ssh    tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 state NEW,ESTABLISHED

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 state NEW,ESTABLISHED

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:67:68 dpts:67:68

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:137

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:138

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:445

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:873

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:22

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:465

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:25

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:993

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:143

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:443

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:80

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:3306

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:1900

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:8200

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:9001

ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1194

ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpts:8000:8010

ACCEPT     tcp  --  127.0.0.1            127.0.0.1            tcp dpt:10023

ACCEPT     tcp  --  127.0.0.1            127.0.0.1            tcp dpt:10024

ACCEPT     tcp  --  127.0.0.1            127.0.0.1            tcp dpt:10025

ACCEPT     all  --  192.168.178.0/24     0.0.0.0/0

ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0

DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID,NEW

```

/etc/dhcp/dhcpd.conf

```

option domain-name "rock.lan";

option domain-name-servers ns.rock.lan;

default-lease-time 600;

max-lease-time 7200;

ddns-update-style interim;

ddns-updates on;

update-static-leases on;

deny-client-update;

ddns-domainname "rock.lan.";

ddns-rev-domainname "in-addr-arpa.";

authoritative;

log-facility local7;

key "DHCP_UPDATER" {

        algorithm HMAC-MD5.SIG-ALG.REG.INT;

        secret "******";

};

zone rock.lan. {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

zone 1.168.192.in-addr.arpa. {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

zone 2.168.192.in-addr.arpa {

        primary 127.0.0.1;

        key DHCP_UPDATER;

}

subnet 192.168.1.0 netmask 255.255.255.0 {

        range 192.168.1.2 192.168.1.254;

        option routers 192.168.1.1;

        option broadcast-address 192.168.1.255;

        option domain-search "my.lan";

        ddns-domainname "my.lan";

        deny unknown-clients;

}

subnet 192.168.2.0 netmask 255.255.255.0 {

        range 192.168.2.2 192.168.2.254;

        option routers 192.168.2.1;

        option broadcast-address 192.168.2.255;

        option domain-search "my.lan";

        ddns-domainname "my.lan";

        allow unknown-clients;

}

```

tcpdump -i br0.1 -nev udp port 68 |  nmap --script broadcast-dhcp-discover -e br0.1

```

Starting Nmap 7.40 ( https://nmap.org ) at 2018-02-06 19:42 CET

WARNING: No targets were specified, so 0 hosts scanned.

Nmap done: 0 IP addresses (0 hosts up) scanned in 10.22 seconds

```

```

dropped privs to tcpdump

tcpdump: listening on br0.1, link-type EN10MB (Ethernet), capture size 262144 bytes

19:42:27.717869 1c:1b:0d:9e:18:27 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: (tos 0x0, ttl 64, id 41302, offset 0, flags [DF], proto UDP (17), length 344)

    192.168.1.1.68 > 255.255.255.255.67: BOOTP/DHCP, Request from de:ad:c0:de:ca:fe, length 316, xid 0xe235f702, Flags [Broadcast]

          Client-Ethernet-Address de:ad:c0:de:ca:fe

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: Discover

            Parameter-Request Option 55, length 64:

              Option 252, Subnet-Mask, Time-Zone, Default-Gateway

              Time-Server, IEN-Name-Server, Domain-Name-Server, LOG

              CS, LPR-Server, IM, RL

              Hostname, BS, DP, Domain-Name

              SS, RP, EP, IPF

              SRT, PF, RSZ, TTL

              MTU-Timeout, MTU-Table, MTU, LSN

              BR, MD, MS, Router-Discovery

              RSA, Static-Route, UT, AT

              IE, TT, KI, KG

              YD, YS, NTP, Vendor-Option

              Netbios-Name-Server, WDD, Netbios-Node, Netbios-Scope

              XFS, XDM, Requested-IP, Lease-Time

              OO, DHCP-Message, Server-ID, Parameter-Request

              MSG, MSZ, RN, RB

              Vendor-Class, Client-ID, BF, TFTP

            Lease-Time Option 51, length 4: 1

^C

1 packet captured

1 packet received by filter

0 packets dropped by kernel

```

tcpdump -i br0.2 -nev udp port 68 |  nmap --script broadcast-dhcp-discover -e br0.2

```

Starting Nmap 7.40 ( https://nmap.org ) at 2018-02-06 19:44 CET

Pre-scan script results:

| broadcast-dhcp-discover:

|   Response 1 of 1:

|     IP Offered: 192.168.2.2

|     DHCP Message Type: DHCPOFFER

|     Server Identifier: 192.168.2.1

|     IP Address Lease Time: 5m00s

|     Subnet Mask: 255.255.255.0

|     Router: 192.168.2.1

|     Domain Name: rock.lan

|_    Broadcast Address: 192.168.2.255

WARNING: No targets were specified, so 0 hosts scanned.

Nmap done: 0 IP addresses (0 hosts up) scanned in 1.24 seconds

```

```

dropped privs to tcpdump

tcpdump: listening on br0.2, link-type EN10MB (Ethernet), capture size 262144 bytes

19:44:19.927901 1c:1b:0d:9e:18:27 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 358: (tos 0x0, ttl 64, id 16779, offset 0, flags [DF], proto UDP (17), length 344)

    192.168.2.1.68 > 255.255.255.255.67: BOOTP/DHCP, Request from de:ad:c0:de:ca:fe, length 316, xid 0xdb8a1467, Flags [Broadcast]

          Client-Ethernet-Address de:ad:c0:de:ca:fe

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: Discover

            Parameter-Request Option 55, length 64:

              Option 252, Subnet-Mask, Time-Zone, Default-Gateway

              Time-Server, IEN-Name-Server, Domain-Name-Server, LOG

              CS, LPR-Server, IM, RL

              Hostname, BS, DP, Domain-Name

              SS, RP, EP, IPF

              SRT, PF, RSZ, TTL

              MTU-Timeout, MTU-Table, MTU, LSN

              BR, MD, MS, Router-Discovery

              RSA, Static-Route, UT, AT

              IE, TT, KI, KG

              YD, YS, NTP, Vendor-Option

              Netbios-Name-Server, WDD, Netbios-Node, Netbios-Scope

              XFS, XDM, Requested-IP, Lease-Time

              OO, DHCP-Message, Server-ID, Parameter-Request

              MSG, MSZ, RN, RB

              Vendor-Class, Client-ID, BF, TFTP

            Lease-Time Option 51, length 4: 1

19:44:20.941556 1c:1b:0d:9e:18:27 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 342: (tos 0x10, ttl 128, id 0, offset 0, flags [none], proto UDP (17), length 328)

    192.168.2.1.67 > 255.255.255.255.68: BOOTP/DHCP, Reply, length 300, xid 0xdb8a1467, Flags [Broadcast]

          Your-IP 192.168.2.2

          Client-Ethernet-Address de:ad:c0:de:ca:fe

          Vendor-rfc1048 Extensions

            Magic Cookie 0x63825363

            DHCP-Message Option 53, length 1: Offer

            Server-ID Option 54, length 4: 192.168.2.1

            Lease-Time Option 51, length 4: 300

            Subnet-Mask Option 1, length 4: 255.255.255.0

            Default-Gateway Option 3, length 4: 192.168.2.1

            Domain-Name Option 15, length 8: "rock.lan"

            BR Option 28, length 4: 192.168.2.255

^C

2 packets captured

2 packets received by filter

0 packets dropped by kernel

```

----------

## bbgermany

Im very sorry, but I cannot follow what you are trying to do. Can you please explain?

I would suggest on the other side, you create a bridge interface with enp7s0 first and assign an ip address either static within 192.168.178.x/24 or get an ip address for the bridge via dhcp from your Fritz!Box. Then create the wireless interface with no config and add it via hostapd to your bridge.

for example like this:

/etc/conf.d/net

```

config_enp7s0="null"

config_wlp10s0="null" 

bridge_br0="enp7s0" 

rc_net_br0_need="net.enp7s0" 

bridge_forward_delay_br0=0 

bridge_hello_time_br0=1000 

config_br0="dhcp"

# alternate static config

# config_br0="192.168.178.29/24"

# routes_br0="default via 192.168.178.1"

# dns_servers_br0="localhost 192.168.178.1"

preup() { 

        rfkill unblock all 

} 

```

Now take care of your hostapd.conf and /etc/conf.d/hostapd

/etc/conf.d/hostapd

```

# Space separated List of interfaces which needs to be started before

# hostapd

INTERFACES="br0 wlp10s0"

# Space separated list of configuration files

CONFIGS="/etc/hostapd/hostapd.conf"

# Extra options to pass to hostapd, see hostapd(8)

OPTIONS=""

```

/etc/hostapd/hostapd.conf

```

bridge=br0

interface=wlp10s0

driver=nl80211

ssid=<your ssid>

channel=6

ignore_broadcast_ssid=0

country_code=DE

ieee80211d=1

hw_mode=g

ieee80211n=1

ht_capab=[HT40+][SHORT-GI-40][DSSS_CCK-40][RX-STBC1][MAX-AMSDU-3839]

beacon_int=100

dtim_period=2

macaddr_acl=0

max_num_sta=10

ap_max_inactivity=1200

rts_threshold=2347

fragm_threshold=2346

logger_syslog_level=2

logger_stdout=-1

logger_stdout_level=2

ctrl_interface=/var/run/hostapd

ctrl_interface_group=0

auth_algs=1

wpa=2

rsn_preauth=1

rsn_preauth_interfaces=wlp3s4

wpa_key_mgmt=WPA-PSK

rsn_pairwise=CCMP TKIP

wpa_pairwise=CCMP TKIP

wpa_group_rekey=600

wpa_ptk_rekey=600

wpa_gmk_rekey=86400

wpa_passphrase=<your key>

```

if this works, you should redo your vlan config. My problem was to add a single wlan interface to two vlans, so i added a second wlan adapter.

greets, bb

----------

## Rocky007

enp6s0 is my interface connected to my FritzBox.

enp7s0 and wlp10s0 are bridge br0.

hostapd woked perfectly...

What i'm now trying to do is connecting to the ap and gain an ip via my internal dhcp

The dhcp has 2 different subnets

192.168.1.0724

192.168.2.0/24

for this i think i have to use vlan because there is just one ethernet and one wlan card but 2 subnets right?

----------

## bbgermany

/etc/conf.d/hostapd must contain all interfaces in the list iirc.

it wasnt working in my case if there is only the bridged interfaces named in the list.

greets, bb

----------

## Rocky007

It was starting but i didn't got an ip...

now i've got the following for the hostadap list:

INTERFACES="br0.1 br0.2 wlp10s0"...

Next thing is to set up dhcp working an then i can say if its working

----------

## bbgermany

Try setting a static ip on the wlan client and ping the interfaces of the hostapd server. 

greets, bb

----------

## Rocky007

Okay...

now i've got it to work with just br0 and wlp10s0

/etc/conf.d/net

```

config_enp6s0="192.168.178.29/24"

routes_enp6s0="default via 192.168.178.1"

dns_servers_enp6s0="localhost 192.168.178.1"

config_enp7s0="null"

modules_wlp10s0="!iwconfig !wpa_supplicant"

config_wlp10s0="null"

bridge_br0="enp7s0"

rc_net_br0_need="net.enp7s0"

bridge_forward_delay_br0=0

bridge_hello_time_br0=1000

#vlans_br0="1 2"

config_br0="192.168.1.1/24 192.168.2.1/24"

#config_br0_1="192.168.1.1/24"

#config_br0_2="192.168.2.1/24"

preup() {

        rfkill unblock all

}

```

/etc/conf.d/dhcpd

```

DHCPD_IFACE="br0"

```

here what now is not working in this setup:

```

Feb  6 20:56:51 sg1 dhcpd[7280]: irs_resconf_load failed: 59.

Feb  6 20:56:51 sg1 dhcpd[7280]: Unable to set resolver from resolv.conf; startup continuing but DDNS support may be affected

Feb  6 20:56:51 sg1 dhcpd[7280]: Internet Systems Consortium DHCP Server 4.3.5 Gentoo-r0

Feb  6 20:56:51 sg1 dhcpd[7280]: Copyright 2004-2016 Internet Systems Consortium.

Feb  6 20:56:51 sg1 dhcpd[7280]: All rights reserved.

Feb  6 20:56:51 sg1 dhcpd[7280]: For info, please visit https://www.isc.org/software/dhcp/

Feb  6 20:56:51 sg1 dhcpd[7280]: Wrote 0 deleted host decls to leases file.

Feb  6 20:56:51 sg1 dhcpd[7280]: Wrote 0 new dynamic host decls to leases file.

Feb  6 20:56:51 sg1 dhcpd[7280]: Wrote 0 leases to leases file.

Feb  6 20:56:51 sg1 dhcpd[7282]: Server starting service.

Feb  6 20:56:56 sg1 dhcpd[7282]: Dynamic and static leases present for 192.168.1.3.

Feb  6 20:56:56 sg1 dhcpd[7282]: Remove host declaration VENUS or remove 192.168.1.3

Feb  6 20:56:56 sg1 dhcpd[7282]: from the dynamic address pool for 192.168.1.0/24

Feb  6 20:56:56 sg1 dhcpd[7282]: DHCPREQUEST for 192.168.1.3 from c8:9c:dc:d1:b9:ba via br0

Feb  6 20:56:56 sg1 dhcpd[7282]: ns1.rock.lan: host unknown.

Feb  6 20:56:56 sg1 dhcpd[7282]: DHCPACK on 192.168.1.3 to c8:9c:dc:d1:b9:ba via br0

Feb  6 20:56:56 sg1 dhcpd[7282]: Unable to add forward map from VENUS.rock.lan to 192.168.1.3: SERVFAIL

Feb  6 20:57:17 sg1 dhcpd[7282]: DHCPDISCOVER from 8c:f5:a3:7a:19:9c via br0

Feb  6 20:57:18 sg1 dhcpd[7282]: DHCPOFFER on 192.168.1.2 to 8c:f5:a3:7a:19:9c (Samsung-Galaxy-S7) via br0

Feb  6 20:57:18 sg1 dhcpd[7282]: DHCPREQUEST for 192.168.1.2 (192.168.1.1) from 8c:f5:a3:7a:19:9c (Samsung-Galaxy-S7) via br0

Feb  6 20:57:18 sg1 dhcpd[7282]: DHCPACK on 192.168.1.2 to 8c:f5:a3:7a:19:9c (Samsung-Galaxy-S7) via br0

Feb  6 20:57:18 sg1 dhcpd[7282]: Unable to add forward map from Samsung-Galaxy-S7.rock.lan to 192.168.1.2: SERVFAIL

```

this is a result of named

/var/log/named/named.conf

```

06-Feb-2018 21:31:13.611 update-security: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: signer "dhcp_updater" approved

06-Feb-2018 21:31:13.611 update: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: updating zone 'rock.lan/IN': adding an RR at 'Samsung-Galaxy-S7.rock.lan' A 192.168.1.2

06-Feb-2018 21:31:13.611 update: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: updating zone 'rock.lan/IN': adding an RR at 'Samsung-Galaxy-S7.rock.lan' TXT "31736cad8d609e589a58b3efa14718a76c"

06-Feb-2018 21:31:13.611 general: error: pri/rock.lan.jnl: create: permission denied

06-Feb-2018 21:31:13.611 update: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: updating zone 'rock.lan/IN': error: journal open failed: unexpected error

06-Feb-2018 21:36:01.852 update-security: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: signer "dhcp_updater" approved

06-Feb-2018 21:36:01.852 update: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: updating zone 'rock.lan/IN': adding an RR at 'Samsung-Galaxy-S7.rock.lan' A 192.168.1.2

06-Feb-2018 21:36:01.852 update: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: updating zone 'rock.lan/IN': adding an RR at 'Samsung-Galaxy-S7.rock.lan' TXT "31736cad8d609e589a58b3efa14718a76c"

06-Feb-2018 21:36:01.852 general: error: pri/rock.lan.jnl: create: permission denied

06-Feb-2018 21:36:01.852 update: info: client @0x7fea80122280 127.0.0.1#61433/key dhcp_updater: updating zone 'rock.lan/IN': error: journal open failed: unexpected error

```

Permssion overview, nothing changed just by portage

```

 ls -lah /etc | grep bind

 drwxr-xr-x  2 named    root     4,0K  6. Feb 21:11 bind

ls -lah /etc/bind/

drwxr-xr-x  2 named root  4,0K  6. Feb 21:11 .

drwxr-xr-x 80 root  root  4,0K  6. Feb 21:08 ..

-rw-r-----  1 root  named 3,9K 26. Jan 18:19 bind.keys

lrwxrwxrwx  1 root  root    13 26. Jan 18:19 dyn -> /var/bind/dyn

-rw-r-----  1 root  named 1,6K  6. Feb 21:30 named.conf

-rw-r-----  1 root  named 1,6K  6. Feb 21:11 named.conf.save

lrwxrwxrwx  1 root  root    13 26. Jan 18:19 pri -> /var/bind/pri

-rw-r-----  1 root  named   77  8. Aug 10:48 rndc.key

lrwxrwxrwx  1 root  root    13 26. Jan 18:19 sec -> /var/bind/sec

ls -lah /etc/bind/dyn/

drwxrwx--- 2 root named 4,0K 26. Jan 18:19 .

drwxrwx--- 5 root named 4,0K  6. Feb 21:31 ..

-rw-r--r-- 1 root root     0 26. Jan 18:19 .keep_net-dns_bind-0

ls -lah /etc/bind/pri/

drwxr-x--- 2 root named 4,0K  6. Feb 15:21 .

drwxrwx--- 5 root named 4,0K  6. Feb 21:31 ..

-rw-r--r-- 1 root root     0 26. Jan 18:19 .keep_net-dns_bind-0

-rw-r--r-- 1 root named  241  6. Feb 15:16 1.168.192.zone

-rw-r--r-- 1 root named  265  6. Feb 15:17 2.168.192.zone

-rw-r----- 1 root named  426 26. Jan 18:19 localhost.zone

-rw-r--r-- 1 root named  334  6. Feb 15:19 rock.lan

ls -lah /etc/bind/sec/

drwxrwx--- 2 root named 4,0K 26. Jan 18:19 .

drwxrwx--- 5 root named 4,0K  6. Feb 21:31 ..

-rw-r--r-- 1 root root     0 26. Jan 18:19 .keep_net-dns_bind-0

ls -lah /var/ | grep bind

 drwxrwx---  5 root   named  4,0K  6. Feb 21:31 bind

ls -lah /var/bind/

drwxrwx---  5 root  named 4,0K  6. Feb 21:31 .

drwxr-xr-x 13 root  root  4,0K 11. Dez 20:37 ..

drwxrwx---  2 root  named 4,0K 26. Jan 18:19 dyn

-rw-r--r--  1 named named 1,4K  6. Feb 21:31 managed-keys.bind

-rw-r--r--  1 named named  512  6. Feb 21:31 managed-keys.bind.jnl

-rw-r-----  1 root  named 3,3K 26. Jan 18:19 named.cache

drwxr-x---  2 root  named 4,0K  6. Feb 15:21 pri

lrwxrwxrwx  1 root  root    11 26. Jan 18:19 root.cache -> named.cache

drwxrwx---  2 root  named 4,0K 26. Jan 18:19 sec

ls -lah /var/bind/dyn/

drwxrwx--- 2 root named 4,0K 26. Jan 18:19 .

drwxrwx--- 5 root named 4,0K  6. Feb 21:31 ..

-rw-r--r-- 1 root root     0 26. Jan 18:19 .keep_net-dns_bind-0

ls -lah /var/bind/pri/

drwxr-x--- 2 root named 4,0K  6. Feb 15:21 .

drwxrwx--- 5 root named 4,0K  6. Feb 21:31 ..

-rw-r--r-- 1 root root     0 26. Jan 18:19 .keep_net-dns_bind-0

-rw-r--r-- 1 root named  241  6. Feb 15:16 1.168.192.zone

-rw-r--r-- 1 root named  265  6. Feb 15:17 2.168.192.zone

-rw-r----- 1 root named  426 26. Jan 18:19 localhost.zone

-rw-r--r-- 1 root named  334  6. Feb 15:19 rock.lan

ls -lah /var/bind/sec/

drwxrwx--- 2 root named 4,0K 26. Jan 18:19 .

drwxrwx--- 5 root named 4,0K  6. Feb 21:31 ..

-rw-r--r-- 1 root root     0 26. Jan 18:19 .keep_net-dns_bind-0

```

----------

## bbgermany

Looks like you run into the same issue as i did, one wireless interface and two vlans wont work. Adding another physical card/interface solved this for me.

greets, bb

----------

## Rocky007

Would it help first vlan and then bridging or is it the same when first bridging and then vlan?

----------

## bbgermany

I tried both. When first creating the vlan, i wasnt able to add the wireless interface to both vlans. If i created the bridges first, i wasnt able to create vlans anymore and run the hostapd. I just gave up, and added the usb wireless device.

but you can try by yourself, maybe you have more luck then i had.

greets, bb

----------

## Rocky007

I think i've found the solution...

hostapd has the following use flag:

- - netlink  : Adding support for using netlink to create VLANs

i will try this this afternoon and let you know

----------

## Rocky007

It's not working even with vlan enabled...

Think to use a 2nd wlan card

Is it possible with two wlan cards and just having 1 ap but 2 subnets controlled by dhcp

----------

## Rocky007

I've drawn an topology how i want to structure the server and how the nics are connected with each other

https://s2.imagebanana.com/file/180207/5pNViUAQ.PNG

----------

## szatox

I think you're doing it wrong. You have too many IPs around your bridge.

Bridge works in layer 2. You deal with MAC addresses there. You're not supposed to give IP address to the enslaved interfaces. You only give 1 IP to the bridge interface itself.

All devices connected to the bridge can see each other unless you explicitly enable firewall on bridged interfaces - the traffic passing through is not considered for filtering otherwise.

So:

* either enable routing, remove the bridge, and give IPs to all those physical interfaces you have there (And then create separate subnets in your DHCP, and put that dhcp on your router, so it can assign your clients to the correct subnets based on local interface)

* or remove IPs from all interfaces and put it on your bridge instead, and go for a uniform network with a single, shared address space.

----------

## Rocky007

I've done it now how bbgermany has suggested....

now woks perfect.

one errir what i noticed after a few minutes of activity is the following kernel message

```

Feb  8 19:40:49 sg1 kernel: AMD-Vi: Event logged [

Feb  8 19:40:49 sg1 kernel: IO_PAGE_FAULT device=0a:00.0 domain=0x000b address=0x00000000f3fea064 flags=0x0000]

```

and then i cant connect anymore and have to restart the whole server

@bbgermany

is it possible via the lan port to get ips at you?

----------

## bbgermany

 *Rocky007 wrote:*   

> I've done it now how bbgermany has suggested....
> 
> now woks perfect.
> 
> one errir what i noticed after a few minutes of activity is the following kernel message
> ...

 

Ubuntu has the same problem. They suggest to add the following to your grub cmdline:

```

iommu=soft

```

 *Rocky007 wrote:*   

> 
> 
> @bbgermany
> 
> is it possible via the lan port to get ips at you?

 

Do you mean the public addresses, your provider gives to your router?

greets, bb

----------

## Rocky007

Hi bbgermany,

i mean dhcp addresses...

currently i'm just able to get ips via dhcp when in WLAN, LAN no request reaches the dhcp server.

Maybe it has something to do with my PowerLan, but both adapters i can see in the TPLINK Mangement tool and they are connected.

----------

## bbgermany

I think you need to setup the dhcp server to listen on the LAN Interface then as well.

Greets, bb

----------

## Rocky007

I've got the following set: DHCPD_IFACE="brvlan1 brvlan2"

The Ethernet interface is vlaned and then bridged like in your config exact same way just other interface names

```

# WAN Interface

config_enp6s0="192.168.178.29/24"

routes_enp6s0="default via 192.168.178.1"

dns_servers_enp6s0="127.0.0.1 192.168.178.1"

# Bridge Interface

vlans_enp7s0="1 2"

config_enp7s0="null"

config_enp7s0_1="null"

config_enp7s0_2="null"

config_brvlan1="192.168.1.1/24"

config_brvlan2="192.168.2.1/24"

bridge_forward_delay_brvlan1=0

bridge_hello_time_brvlan1=1000

bridge_stp_state_brvlan1=1

bridge_brvlan1="enp7s0.1"

bridge_forward_delay_brvlan2=0

bridge_hello_time_brvlan2=1000

bridge_stp_state_brvlan2=1

bridge_brvlan2="enp7s0.2"

rc_net_brvlan1_need="net.enp7s0"

rc_net_brvlan2_need="net.enp7s0"

# WiFi Card Intern

modules_wlp9s0="!iwconfig !wpa_supplicant"

config_wlp9s0="null"

# WiFi Card Extern

modules_wlp10s0="!iwconfig !wpa_supplicant"

config_wlp10s0="null"

preup() {

        COUNTRY=DE crda

        rfkill unblock all

        iw reg set DE

}

```

----------

## bbgermany

I thought the vlans are for wireless only. Do they connect to clients on ethernet as well?

greets, bb

----------

## Rocky007

Yes, that is what i want....

The server should give out ips via wireless net and ethernet (now 2 wireless cards, one for each subnet/vlan, and one ethernet interface vlaned to get this via ethernet too)

----------

## bbgermany

Hi,

im not running my dhcp directly on my hostapd server, but i have two subnet definitions in my dhcpd.conf on the other host. Since this has multiple network interfaces as well, it provided dhcp according to the subnets on the fitting interfaces without any issues. You should check your switch config as well, that the clients are on the same vlan on the switch which should get an ipaddress from the correspondent subnet definition.

if you have a cisco switch, the config for the interfaces should be something like this (iirc) if the first port is your hostapd server and the second port is a lan client and the vlan id is 3:

```

conf t

interface ethernet 0/1

switchport mode acccess

switchport access vlan 3

interface ethernet 0/2

switchport mode acccess

switchport access vlan 3

exit

```

dont forget to save the config, otherwise it will be gone on the next switch reboot  :Wink: 

greets, bb

----------

## Rocky007

Hi,

i've got no manageable switch there.

Just a PowerLan Plug...

Maybe i don't need vlans?

Everithing i want to is:

 - 2 WiFi Nets (1x Personal, 1x Guest)

 - 2 Subnets in DHCP (1x Personal 192.168.1.0/24, 1x Guest 192.168.2.0/24)

 - Everyone can connect to WiFi/LAN and on DHCP setting (allow/deny unknown-clients) it is in the specified subnet...

----------

## bbgermany

You cant do vlans on the same switch if its not manageable and they make no sense, if you have two switches on different interfaces.

greets, bb

----------

## Rocky007

So I just need a bridge for what i want?

/etc/conf.d/net

```

# WAN Interface

config_enp6s0="192.168.178.29/24"

routes_enp6s0="default via 192.168.178.1"

dns_servers_enp6s0="127.0.0.1 192.168.178.1"

config_enp7s0="null"

config_br1="192.168.1.1/24"

bridge_forward_delay_br1=0

bridge_hello_time_br1=1000

bridge_stp_state_br1=0

bridge_br1="enp7s0.1"

config_br2="192.168.2.1/24"

bridge_forward_delay_br2=0

bridge_hello_time_br2=1000

bridge_stp_state_br2=0

bridge_br2="enp7s0.2"

rc_net_br1_need="net.enp7s0"

rc_net_br2_need="net.enp7s0"

# WiFi Card Intern

modules_wlp9s0="!iwconfig !wpa_supplicant"

config_wlp9s0="null"

# WiFi Card Extern

modules_wlp10s0="!iwconfig !wpa_supplicant"

config_wlp10s0="null"

preup() {

        COUNTRY=DE crda

        rfkill unblock all

        iw reg set DE

}

```

/etc/conf.d/dhcpd

```

DHCPD_IFACE="br1 br2"

```

/etc/conf.d/hostapd

```

INTERFACES="br1 br2 wlp9s0 wlp10s0"

```

----------

## bbgermany

Hi,

1st: you should install another ethernet card and a second wireless card if you want to isolate the networks, otherwise you wont be able to accomplish this.

2nd: create two bridges with either one ethernet and one wireless card

3rd: create the hostapd config according to your bridges.

or get a manageable switch and have a look at vlan howtos!

greets, bb

----------

## Rocky007

Would it work to get a manged switch with vlan support and the powerlan to my room or do i need something between?

Maybe a powerlan with multiple ethernet ports?

----------

## bbgermany

Im not sure about vlan via powerlan, havent testet mine coz i want to replace it. Maybe a second powerlan with different encryption key can work with vlans but dont count on this. But there are some powerlan adapter, that support vlan. Just check yours for 802.1q support. If it supports this, you should be good.

greets, bb

----------

