Tag Archives: wlan

FreeBSD Desktop – Part 2 – Install

This is the second post in the FreeBSD Desktop series.

You may want to check other articles in the FreeBSD Desktop series on the FreeBSD Desktop – Global Page where you will find links to all episodes of the series along with table of contents for each episode’s contents.

How about actually installing FreeBSD? On a real hardware? You may first want to mess with the FreeBSD installer in a virtualized hardware (Bhyve/KVM/XEN/Virtualbox/…) so You will gain some confidence. In these posts series we will create a complete step by step FreeBSD desktop installation on USB 2.0 pendrive. 8 GB size or more is required. This way You will not have to ‘touch’ you installed system and as You gain confidence in FreeBSD You may want to switch to it if it suits your needs better then the currently installed system on your hardware. This way You can also try it on various computers without the need of (re)install or You may use it as You ‘go/mobile’ system on a stick.

For the series I will use one of the best laptops ever made – Lenovo ThinkPad X220 – shown below.


Its a 2011 12.5″ screen laptop with best keyboard layout on the world. As the series will progress I will also show the differences to other laptop – Lenovo ThinkPad T420s – another great machine. Besides being one of the best laptops ever made they also today have another advantage – they are dirt cheap. You can get any of them in a really good condition for about $150-180.


First we need to setup our machine, I mean the BIOS settings in the laptop. We will disable unused (Express Card/Bluetooth/Camera/Fingerprint Reader/…) and unwanted options (Intel AMT/Security Chip/UEFI/…). Below are screens with these settings.



















The install is very similar to the HardenedBSD install made in earlier post – Introduction to HardenedBSD World.

You will need:
* 8GB or larger USB pendrive for the installation (or install directly to hard disk)
* 1GB or larger USB pendrive or 700MB CD-R(W) disk for the FreeBSD installer to boot/install from

Besides all Lenovo ThinkPad XY20 (X220/T420/T420s/T520/W520) laptops being one of the best ever made they have one amusing problem – the broken GPT boot πŸ™‚ The installer – on these Lenovo laptops – will ask You if You want to apply that fix – answer ‘yes’ there. Later in the setup process this option is called GPT + Lenovo Fix (BIOS) as a Partition Scheme option. You can read more about GPT issue on this FreeBSD Mailing Lists post – using GPT / EFI booting on Lenovo BIOSeshttps://lists.freebsd.org/pipermail/freebsd-i386/2013-March/010437.html.

One more thing to mention, this GPT BUG is present only when You want to boot FreeBSD from GPT partition in BIOS/Legacy mode. If You make UEFI install (which we will do in one of the next articles in the series) this problem is not present and FreeBSD boots properly on Lenovo ThinkPad X220 (and other from XY20 series) from GPT partition in UEFI mode.

Now the install process. First You need the FreeBSD 11.1-RELEASE install image, download it from here – FreeBSD-11.1-RELEASE-amd64-memstick.imghttp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-memstick.img.

To put the image on the pendrive we will use the dd(1) tool available on almost any Mac OS X (macOS) and Linux system – You can read more about that command on following Wikipedia article on dd command.

For Windows You will have to download it from here – dd for windowshttp://www.chrysocome.net/dd.

On FreeBSD such command will look like that:

# dd if=FreeBSD-11.1-RELEASE-amd64-memstick.img of=/dev/da1

… but for performance reasons its better to add bs=1m (bs=1M on Linux/Windows) to the command.

# dd if=FreeBSD-11.1-RELEASE-amd64-memstick.img of=/dev/da1 bs=1m

Alternatively You may want to burn the ISO image to the CD-R(W) disc and boot from it instead of USB pendrive, in such case here is the ISO image link – FreeBSD-11.1-RELEASE-amd64-disc1.isohttp://ftp.freebsd.org/pub/FreeBSD/releases/ISO-IMAGES/11.1/FreeBSD-11.1-RELEASE-amd64-disc1.iso

Now to install. Attach the USB pendrive or CD disc with FreeBSD installer and boot from it, on most laptops You may show the temporary boot list selection with [F11] or [F12] key.

After You have booted to the screen below with Welcome message, leave the ‘focus’ on the Install button and attach the 8GB or larger USB pendrive for installation.


You will see kernel buffer messages messing the screen and showing that new drive has been attached, but as the ‘focus’ is still on the Install button so just hit [ENTER] key and proceed with the installation process as shown on the images below.

You can select your desired keyboard layout, it can also be changed later, your choice.


When we have a new machine there is always a problem with new name for it. The RFC 1178 Choosing a Name for Your Computer from 1990 year tries to address that issue – https://tools.ietf.org/html/rfc1178. For machine hostname we will use Slavic word for the wind which would be vetru – in normalized form – as original as You can imagine is not in ASCII compatible – Π²Ρ£Ρ‚Ρ€ΡŠ (vΔ›trΕ­) πŸ™‚


We do not need any additional components, with all deselected as shown below only the (not shown) base and kernel will be installed.


We will use ZFS because we want to use Boot Environments with sysutils/beadm port.


Hit [ENTER] on the Pool Type/Disks to select target disk to install FreeBSD on.


As we will be using only single disk without redundancy select stripe here.


This may vary, select the pendrive (or disk) that You want to install FreeBSD on.


We will set SWAP size to ‘0‘ (no SWAP) as it will not be needed. If we will need SWAP in the future, then we will create ZVOL on ZFS and use it as a SWAP device.



As we are installing it on a Lenovo ThnikPad X220 with GPT BUG then we need to select GPT + Lenovo FIX (BIOS) here.


Now move ‘focus’ to Install and hit [ENTER] to proceed with installation.


This is the last chance to not overwrite your precious data.


Then You will see the install progress.


Fill in your root user password.


Select any interface here as we will not be making any configuration here.


Leave the interface unconfigured for now, we will take care about that later.



Now we will configure the time zone, I have configured Europe/Poland as shown below.



Now you may correct the date and time.



Select services as shown below.


Enable all security hardening features as shown below.


We want to create new ‘regular’ user so answer Yes here.


For the username we will use Slavic word for wolf which is Vuk.



Our job is done here, hit [ENTER] key with ‘focus’ on Exit name,


Installer will ask You if You want to modify the installed system before rebooting into it. We do not have any needs now so hit [ENTER] key on No option.


As we finished hit [ENTER] on Reboot button.



After the boot process of the newly installed FreeBSD 11.1-RELEASE USB pendrive You will see an image similar to below one.



What to do next? Lets make some basic network connectivity. Later in the FreeBSD Desktop series we will switch to network.sh for networking – FreeBSD Network Management with network.sh Script but now lets see how its done the raw way. If You will have attached LAN cable and your interface is em0 (check ifconfig(8) command output) then dhclient em0 command should grant You the working connection to the Internet – assuming that You have DHCP server on that network. Here are the commands.

# ifconfig em0 up

# dhclient em0
DHCPREQUEST on em0 to port 67
bound to -- renewal in 2147483647 seconds.

To test the network connectivity use the ping(8) command.

# ping -c 3 freebsd.org
PING freebsd.org ( 56 data bytes
64 bytes from icmp_seq=0 ttl=52 time=242.421 ms
64 bytes from icmp_seq=1 ttl=52 time=234.535 ms
64 bytes from icmp_seq=2 ttl=52 time=245.120 ms

--- freebsd.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 234.535/240.692/245.120/4.491 ms

Also check LAN network chapter in the FreeBSD Handbookhttps://freebsd.org/handbook/config-network-setup.html

If You would like to connect to the World with wireless connection then here are the needed commands.

First lets check what wireless card You have.

# sysctl net.wlan.devices
net.wlan.devices: iwn0

We will now create wlan(4) virtual device on top of our iwn0 device and bring it up.

# ifconfig wlan0 create wlandev iwn0

# ifconfig wlan0 up

We can scan for existing nearby WiFi access points if needed.

# ifconfig wlan0 scan
SSID/MESH ID    BSSID              CHAN RATE    S:N     INT CAPS
xxxxxxx         xx:xx:xx:xx:xx:xx    7   54M  -85:-95   100 EPS  HTCAP RSN WME BSSLOAD WPS
WIFI-NETWOR...  xx:xx:xx:xx:xx:xx    8   54M  -71:-95   100 EPS  HTCAP APCHANREP WME ATH RSN WPA
xxxxxxx         xx:xx:xx:xx:xx:xx    1   54M  -90:-95   100 EPS  RSN HTCAP WME ATH WPS
xxxxxxx         xx:xx:xx:xx:xx:xx    1   54M  -90:-95   100 EP   RSN WME WPS

In case the name of the network does not fit into the first column, then use -v flag for verbose (and wider) output.

# ifconfig -v wlan0 scan

Now we need to add the desired WiFi network to the /etc/wpa_supplicant.conf file as shown below.

# cat > /etc/wpa_supplicant.conf << __EOF

The You may connect to it using the wpa_supplicant(8) daemon. We will connect to the WiFi hot spot, and as the message ‘CTRL-EVENT-CONNECTED‘ will be displayed we hit the [CTRL]+[Z] key combination to put the process into suspended state (SIGTSTP signal). Then we type the bg(1) command to put it back into running state, but in the background (SIGCONT signal) so we can continue to type next commands.

# wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
wlan0: Trying to associate with xx:xx:xx:xx:xx:xx (SSID='WIFI-NETWORK-NAME' freq=2447 MHz)
wlan0: Associated with xx:xx:xx:xx:xx:xx
wlan0: WPA: Key negotiation completed with xx:xx:xx:xx:xx:xx [PTK=CCMP GTK=TKIP]
wlan0: CTRL-EVENT-CONNECTED - Connection to xx:xx:xx:xx:xx:xx completed [id=17 id_str=]
[1]  + Suspended  sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf
# bg
[1]    sudo wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf &

Now we will request for the IP address from the access point DHCP server.

# dhclient wlan0
DHCPREQUEST on wlan0 to port 67
bound to -- renewal in 2147483647 seconds.

To test the network connectivity use the ping(8) command.

# ping -c 3 freebsd.org
PING freebsd.org ( 56 data bytes
64 bytes from icmp_seq=0 ttl=52 time=242.421 ms
64 bytes from icmp_seq=1 ttl=52 time=234.535 ms
64 bytes from icmp_seq=2 ttl=52 time=245.120 ms

--- freebsd.org ping statistics ---
3 packets transmitted, 3 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 234.535/240.692/245.120/4.491 ms

Also check WLAN chapter in the FreeBSD Handbookhttps://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/network-wireless.html


In case You want to learn more about FreeBSD the FreeBSD Handbook and FreeBSD FAQ are good place to start.


In case the installer would not made its job properly You can make the fix by yourself, you just need a FreeBSD system for it (You already have it on the USB pendrive or CD disk). Boot into the first question and move the ‘focus’ to the Live CD button on the right but do not hit the [ENTER] yet. Now, attach the USB pendrive with FreeBSD installed. Screen will be flooded with kernel buffer about attaching new da device, note the da device number (for example da1) and now hit [ENTER] key.

You will be welcomed with login: prompt, type root and hit [ENTER] (no password is required).

Remember the kernel buffer messages screen earlier? They started with the device name (like da0 or da1), we will use that device name to apply the fix. I will assume its da0. First, lets dump partition table to FDISK file.

# fdisk -p /dev/da0 > FDISK

# cat FDISK
# /dev/da0
g c1886 h255 s63
p 1 0xee 63 30298527

Now we need to make the fix, after the 'p 1 (...)' line add 'a 1' an below that line copy the line that starts with 'p 1 (...)' and name it 'p 2 (...)'. Now in the ‘first’ line with 'p 1 (...)' change the 0xee into 0x00. Final result is shown below.

# vi FDISK
# /dev/da0
g c1886 h255 s63
p 1 0x00 63 30298527
a 1
p 2 0xee 63 30298527

After writing the file, apply this new partition table into the da0 device with fdisk(8) command.

# fdisk -f FDISK /dev/da0

Verify that fix is applied.

# fdisk -p /dev/da0
# /dev/da0
g c1886 h255 s63
p 2 0xee 63 30298527

Indeed it is. Now You have Lenovo GPT fix applied. Important to mention that this ‘fix’ does not break the USB pendrive for computers that do not have GPT problem, so with GPT FIX applied you may use it on computers other then Lenovo.


In case You may want to start after the installation I have uploaded the installed image here – http://www.mediafire.com/file/ywcnw99ghqezd6u/usb-freebsd-11.1-lenovo.raw.xz – keep in mind that its compressed by xz(1) so in order to apply it to USB pendrive You must first unpack it. You may do that on the fly with following command assuming that we will be writing that image to da1 device:

# xz -c -d usb-freebsd-11.1-lenovo.raw.xz | dd > /dev/da1 bs=1m

For the record, this image contains the Lenovo GPT FIX. The passwords are set to ‘asd‘ for convenience.

Enough for one post πŸ˜‰

UPDATE 1 – Lenovo GPT Fix with gpart(8)

Initially I described how to apply a fix for broken Lenovo GPT bug with fdisk(8) tool. This is very tricky and error prone but there is a lot easier way to make the same fix. Its made with other FreeBSD tool called gpart(8) and its one line only.

# gpart set -a lenovofix /dev/ada0
lenovofix set on ada0

Done. No longer the need to dance with fdisk(8) tool.


FreeBSD Network Management with network.sh Script

When You use only one connection on FreeBSD, then the best practice is to just put its whole configuration into the /etc/rc.conf file, for example typical server redundant connection would look like that one below.

ifconfig_igb0="-lro -tso -vlanhwtag mtu 9000 up"
ifconfig_igb1="-lro -tso -vlanhwtag mtu 9000 up"
ifconfig_lagg0="laggproto lacp laggport igb0 laggport igb1 up"

If You must use more then one connection and You often switch between them, sometimes several times a day, then using the main FreeBSD’s config file is not the most convenient way for such operations.

For laptops where You often switch between WWAN (usually 3G connection) and WLAN (typical WiFi connection) and even LAN cable.

You can of course use graphical NetworkMgr from GhostBSD project which is described as “Python GTK3 network manager for FreeBSD, GhostBSD, TrueOS and DragonFlyBSD. NetworkMgr support both netif and OpenRC network” citing the project site – https://github.com/GhostBSD/networkmgr – it is also available in FreeBSD Ports and as package – net-mgmt/networkmgr.


What I miss in NetworkMgr is the WWAN connection management, DNS management, optional random MAC generation and network shares unmount at disconnect from network. With my solution – network.sh – you still need to edit /etc/wpa_supplicant.conf and /etc/ppp/ppp.conf files by hand so it’s also not a perfect solution for typical desktop usage, but you do not edit these files every day.

As I use WWAN, WLAN and LAN connections on my laptop depends on the location I wrote a script to automate this connection management in a deterministic and convenient way, at least for me.

It can also set DNS to some safe/nologging providers or even a random safe DNS and generate legitimate MAC address for both LAN and WLAN if needed, even with real OUI first three octets if You also have additional network.sh.oui.txt file with them inside.

Here is the network.sh script help message.

% network.sh help 
  network.sh TYPE [OPTIONS]



  network.sh lan start
  network.sh lan start IP.IP.IP.IP/MASK
  network.sh lan start IP.IP.IP.IP/MASK GW.GW.GW.GW
  network.sh lan restart
  network.sh wlan start
  network.sh wlan start HOME-NETWORK-SSID
  network.sh wwan example
  network.sh dns onic
  network.sh dns udns
  network.sh dns nextdns
  network.sh dns cloudflare
  network.sh dns ibm
  network.sh dns random
  network.sh dns IP.IP.IP.IP
  network.sh doas
  network.sh sudo
  network.sh status

If You run network.sh with appreciate arguments to start network connection it will display on the screen what commands it would run to achieve that. It also makes use of sudo(8) or doas(1) assuming that You are in the network group. To add yourself into the network group type this command below.

# pw groupmod network -m yourself

The network.sh doas command will print what rights it needs to work without root privileges, same for network.sh sudo command, an example below.

% network.sh doas
  # pw groupmod network -m YOURUSERNAME
  # cat /usr/local/etc/doas.conf
  permit nopass :network as root cmd /etc/rc.d/netif args onerestart
  permit nopass :network as root cmd /usr/sbin/service args squid onerestart
  permit nopass :network as root cmd dhclient
  permit nopass :network as root cmd ifconfig
  permit nopass :network as root cmd killall args -9 dhclient
  permit nopass :network as root cmd killall args -9 ppp
  permit nopass :network as root cmd killall args -9 wpa_supplicant
  permit nopass :network as root cmd ppp
  permit nopass :network as root cmd route
  permit nopass :network as root cmd tee args -a /etc/resolv.conf
  permit nopass :network as root cmd tee args /etc/resolv.conf
  permit nopass :network as root cmd umount
  permit nopass :network as root cmd wpa_supplicant

The network.sh script does not edit /usr/local/etc/doas.conf or /usr/local/etc/sudoers files, You have to put these lines there by yourself. An example doas setup for network.sh script is below.

# pkg install -y doas

# cat >> /usr/local/etc/doas.conf << __EOF
permit nopass :network as root cmd /etc/rc.d/netif args onerestart
permit nopass :network as root cmd /usr/sbin/service args squid onerestart
permit nopass :network as root cmd dhclient
permit nopass :network as root cmd ifconfig
permit nopass :network as root cmd killall args -9 dhclient
permit nopass :network as root cmd killall args -9 ppp
permit nopass :network as root cmd killall args -9 wpa_supplicant
permit nopass :network as root cmd ppp
permit nopass :network as root cmd route
permit nopass :network as root cmd tee args -a /etc/resolv.conf
permit nopass :network as root cmd tee args /etc/resolv.conf
permit nopass :network as root cmd umount
permit nopass :network as root cmd wpa_supplicant

# pw groupmod network -m yourself

The network.sh script upon disconnect would also forcefully unmount all network shares.

The idea is that it does only one connection type at a time, When You type network.sh lan start and then type network.sh wlan start, then it will reset entire FreeBSD network stack to defaults (to settings that are in /etc/rc.conf file) and then connect to WiFi in a ‘clean network environment’ as I could say. As I use 3 different methods of connecting to various networks I do not have any network settings in the /etc/rc.conf file, but You may prefer for example to have DHCP for local LAN enabled if that is more convenient for You.

The settings are on the beginning of the network.sh script, You should modify them to your needs and hardware that You own.


You can specify other NETFS filesystems that You want to forcefully unmount during network stop or set different physical WLAN adapter (WLAN_PH option), like ath0 for Atheros chips. similar for LAN interface which also defaults to Intel based network card with em0 driver (LAN_IF option).

If you want to disable random MAC address for LAN with LAN_RANDOM_MAC=0 and enable generation of random MAC address for WiFi networks with WLAN_RANDOM_MAC=1 option.

You should also decide if You want to use sudo (SUDO option) or doas (DOAS option).

Here is network.sh script.

Here is example of all network connections stop.

% network.sh stop
doas killall -9 wpa_supplicant
doas killall -9 ppp
doas killall -9 dhclient
doas ifconfig wlan0 destroy
doas ifconfig em0 down
echo | doas tee /etc/resolv.conf
doas /etc/rc.d/netif onerestart

Here is example of WLAN (or should I say WiFi) network connection start.

% network.sh wlan start
doas killall -9 wpa_supplicant
doas killall -9 ppp
doas killall -9 dhclient
doas ifconfig em0 down
doas ifconfig wlan0 down
echo | doas tee /etc/resolv.conf
doas /etc/rc.d/netif restart
doas ifconfig wlan0 up
doas ifconfig wlan0 scan
doas ifconfig wlan0 ssid -
doas wpa_supplicant -i wlan0 -c /etc/wpa_supplicant.conf -s -B
doas dhclient -q wlan0
echo | doas tee /etc/resolv.conf
echo 'nameserver' | doas tee -a /etc/resolv.conf
doas ifconfig wlan0 powersave

Here is example od DNS change.

% network.sh dns ibm
echo | doas tee /etc/resolv.conf
echo 'nameserver' | doas tee -a /etc/resolv.conf

If You have any problems with the network.sh script then let me know, I will try to fix them ASAP.

If You are more into OpenBSD then FreeBSD then Vincent Delft wrote nmctlNetwork Manager Control tool for OpenBSD – available here – http://vincentdelft.be/post/post_20171023.

Ther is also another OpenBSD project by Aaron Poffenberger for network management – netctl – cli network-location manager for OpenBSD – available here – https://github.com/akpoff/netctl.

UPDATE 1 – Connect to Open/Unsecured WiFi Network

Recently when I was attending the Salt workshop during NLUUG Autumn Conference 2018 at Utrecht, Nederlands I wanted to connect to open unsecured WiFi network called 'Utrecht Hotel'. My phone of course attached to it instantly but on the other hand FreeBSD was not able to connect to it. As it turns out if you want to enable wpa_supplicant(8) to connect to open unsecured network a separate /etc/wpa_supplicant.conf option is needed (on option for all open unsecured
networks – no need to create such rule for each open/unsecured network).

Its these lines in the /etc/wpa_supplicant.conf file:

% grep -C 2 key_mgmt=NONE /etc/wpa_supplicant.conf


I also modified the network.sh to contain that information in the examples section and also made little fix to always reset the previously set/forced SSID during earlier usage.

# ifconfig wlan0 ssid -

Now the network.sh should be even more pleasant to use.

UPDATE 2 – Openbox Integration

In on of the FreeBSD Desktop series articles I described how to setup Openbox window manager – FreeBSD Desktop – Part 12 – Configuration – Openbox – available here.

Below is an example of integration of that network.sh script with Openbox window manager.


… and here is the code used in the ~/.config/openbox/menu.xml file.


UPDATE 3 – Updated Status Page

I have jest added reworked status page to the network.sh script.

Its already updated in the GitHub ‘network’ repository:

Here is how it looks.


UPDATE 4 – Major Rework

After using network.sh script for a while I saw some needed changes. Time has come and I finally made them. I also find a problem when already about creating wlan0 virtual device from physical device (like iwn0).

When you start network.sh script for the first time and wlan0 is not yet created then the problem does not exists but when wlan0 already exists then network.sh waited for whopping 22 seconds on this single command. Now network.sh checks if the wlan0 device already exists which allows now WiFi connection in less then 3 seconds.


#DOAS# permit nopass :network as root cmd ifconfig
#SUDO# %network ALL = NOPASSWD: /sbin/ifconfig *
${CMD} ifconfig ${WLAN_IF} create wlandev ${WLAN_PH} 2> /dev/null
echo ${CMD} ifconfig ${WLAN_IF} create wlandev ${WLAN_PH}


if ! ifconfig ${WLAN_IF} 1> /dev/null 2> /dev/null
  #DOAS# permit nopass :network as root cmd ifconfig
  #SUDO# %network ALL = NOPASSWD: /sbin/ifconfig *
  ${CMD} ifconfig ${WLAN_IF} create wlandev ${WLAN_PH} 2> /dev/null
  echo ${CMD} ifconfig ${WLAN_IF} create wlandev ${WLAN_PH}

I used gnomon to benchmark the script execution.

Here is its simple installation process.

# pkg install -y npm
# npm install -g gnomon

Here is how it performed before the optiomization. About 25 seconds.


And here is how it performs now. About 3 seconds.


At first I suspected the /etc/rc.d/netif FreeBSD startup script but the real enemy was the tart ifconfig wlan0 create wlandev iwn0 command.

I also made it more verbose to better know where the time is wasted.


Its now possible to set static IP and gateway in LAN mode and static IP in DNS mode.


The complete summary of changes and improvements is here:

  • Static IP address and gateway on LAN now possible.
  • Specify DNS by IP address.
  • Simplified __random_mac() function.
  • Fixed __wlan_wait_associated() function.
  • Removed unneded call for “create wlandev” in WLAN mode.
  • Other minor fixes.
  • WiFi (re)connection now possible under 3 seconds instead of 25+ seconds.

I also created a dedicated GitHub repository for network.sh script.