Hostapd (Host access point daemon) is a user space software access point capable of turning normal network interface cards into access points and authentication servers. The current version supports Linux (Host AP, madwifi, mac80211-based drivers) and FreeBSD (net80211).
- 1 Scope of this document
- 2 Requirement
- 3 WiFi Technology
- 4 Capabilities of Hostapd
- 5 IP, DHCP, and Routing
- 6 Sample configurations
- 7 Proper use of the 5GHz band
- 8 External resources
- 9 References
Scope of this document
Hostapd can do a lot of things, but only its most basic aspects will be covered in this article.
A WiFi card with AP mode support is needed:
iw list | grep "Supported interface modes" -A 8
Supported interface modes: * IBSS * managed * AP * AP/VLAN * WDS * monitor * P2P-client * P2P-GO
A brief reminder of the technology involved.
|802.11g||2.4GHz||2003||54Mbps||modest||on its way to become obsolete|
|802.11n||2.4GHz or 5GHz||2009||600Mbps||popular||a device can only use one band at a time, not both at the same time|
some low-end devices claim to be 802.11n but really only support the 2.4GHz band
|802.11ac||5GHz||2013||6777Mbps||rare||on its way to become very popular|
|2.4GHz||b/g/n||11 to 14||high because channels overlap and high popularity|
|5GHz||a/n/ac||around 20, depends on the country||low because channels do not overlap and low popularity|
- An AP is like a wireless switch;
- An AP can only use one band at a time: 2.4GHz OR 5GHz, a so-called "dual-band AP" is just one AP at 2.4GHz plus one at 5GHz;
- An AP using the 2.4GHz band can be b, g and n at the same time (if the hardware supports it);
- An AP using the 5GHz band can be a, n and ac at the same time (if the hardware supports it);
- An AP can have multiple SSIDs, making it look like multiple APs, but all will share the same band AND channel.
Capabilities of Hostapd
What it can do
- Create an AP;
- Create multiple APs on the same card (if the card supports it, usually up to 8);
- Create one AP on one card and another AP on a second card, all within a single instance of Hostapd;
- Use 2.4GHz and 5GHz at the same time on the same card. This requires a card with two radios though, which is pretty rare (but hostapd supports it) - if the card creates two wlanX interfaces, you might be lucky;
What it cannot do
- Create multiple APs on different channels on the same card. Multiple APs on the same card will share the same channel;
- Create a dual-band AP, even with two cards. But it can create two APs with the same SSID;
- Assign IPs to the devices connecting to the AP, a dhcp server is needed for that;
- Assign an IP to the AP itself, it is not hostapd's job to do that;
IP, DHCP, and Routing
Hostapd only creates wireless Ethernet switches, it does not know about the IP protocol or routing.
IP of the AP
An AP's interface really is just an Ethernet interface:
(...) modules_wlan0="!iwconfig !wpa_supplicant" # by default wireless interfaces are assumed to be clients, not APs config_wlan0="192.168.42.1/24" # the AP's IP and network
ln -s net.lo /etc/init.d/net.wlan0
rc-update add net.wlan0 default
A DHCP server listening on the AP's interface will provide the AP's clients with IPs.
Nothing special about routing an AP, it behaves exactly like an Ethernet interface.
802.11b/g/n with WPA2-PSK and CCMP
A simple but secure AP with maximal compatibility for current hardware:
interface=wlan0 # the interface used by the AP hw_mode=g # g simply means 2.4GHz band channel=10 # the channel to use ieee80211d=1 # limit the frequencies used to those allowed in the country country_code=FR # the country code ieee80211n=1 # 802.11n support wmm_enabled=1 # QoS support ssid=somename # the name of the AP auth_algs=1 # 1=wpa, 2=wep, 3=both wpa=2 # WPA2 only wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=somepassword
802.11a/n/ac with WPA2-PSK and CCMP
A simple but secure AP for recent hardware:
interface=wlan0 # the interface used by the AP hw_mode=a # a simply means 5GHz channel=0 # the channel to use, 0 means the AP will search for the channel with the least interferences ieee80211d=1 # limit the frequencies used to those allowed in the country country_code=FR # the country code ieee80211n=1 # 802.11n support ieee80211ac=1 # 802.11ac support wmm_enabled=1 # QoS support ssid=somename # the name of the AP auth_algs=1 # 1=wpa, 2=wep, 3=both wpa=2 # WPA2 only wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=somepassword
802.11b/g/n triple AP
Three APs on the same card, one with WPA2, one with WPA1, one without encryption.
Hostapd automatically creates new interfaces for the extra APs:
interface=wlan0 # the interface used by the AP hw_mode=g # g simply means 2.4GHz channel=10 # the channel to use ieee80211d=1 # limit the frequencies used to those allowed in the country country_code=FR # the country code ieee80211n=1 # 802.11n support wmm_enabled=1 # QoS support # First AP ssid=test1 # the name of the AP auth_algs=1 # 1=wpa, 2=wep, 3=both wpa=2 # WPA2 only wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP wpa_passphrase=somepassword # Second AP bss=wlan1 # the name of the new interface hostapd will create to handle this AP ssid=test2 # the name of the AP auth_algs=1 # 1=wpa, 2=wep, 3=both wpa=1 # WPA1 only wpa_key_mgmt=WPA-PSK wpa_passphrase=someotherpassword # Third AP bss=wlan2 # the name of the new interface hostapd will create to handle this AP ssid=test3 # since there is no encryption defined, none will be used
Proper use of the 5GHz band
Depending on where you live, using the 5GHz band has limitations:
- some channels are forbidden
- some channels are for indoor use only
- some channels require DFS to be used (Dynamic Frequency Selection, to prevent interferences with radars)
- some channels require TPC to be used (Transmit Power Control, to limit interferences)
The problem is that each country has its own rules and those rules are complex and regularly changing.
The package net-wireless/wireless-regdb maintains a regulatory database, for each country, of what channels can be used and with what limitations.
To use the database, you either need to emerge net-wireless/hostapd with the
crda USE flag, or make the database directly available to the kernel, as you would with a firmware (the files are: /lib/firmware/regulatory.db and /lib/firmware/regulatory.db.p7s)
CRDA is on its way to being deprecated in favour of the firmware approach but is still maintained.
The DFS requirement is relatively new and is usually only implemented in 802.11ac and recent 802.11n devices.
Furthermore, only Atheros drivers (ath5k, ath9k, ath10k) support it.
Note that a driver missing DFS support can still use the 5Ghz band, but only on channels which do not require DFS