1
Tutorials and FAQs / HOWTO: Setup OpenWRT Virtual Machine on OPNsense and use it to manage a WiFi AP
« on: May 15, 2023, 07:42:26 pm »
A while ago I upgraded the WiFi device of my laptop and ended up with a spare Intel AX201 M.2 card.
I've been running OPNsense at home on a Intel 5105 NUC baremetal and it has a free M.2 slot.
Inspired by @pinako's post (https://forum.opnsense.org/index.php?topic=32813.0) and knowing abysmal WiFi support on FreeBSD, I was set to repurpose the card as a WiFi AP on my OPNsense, by using OpenWRT VM installed on FreeBSD's own hypervisor(bhyve) to manage.
This is a guide how to do it.
Prerequisite:
1. Install vm-bhyve (https://github.com/churchers/vm-bhyve) to manage bhyve:
2. In OPNsense web-GUI:
3. Create a vm-bhyve switch from our bridge and name it 'public':
4. Determine the PCI ID of WiFi device we want to pass through:
We need to inform the kernel to exempt the device from loading its driver before we can pass through to OpenWRT, by adding these tunables via web-GUI again:
4. Create OpenWRT VM and download the latest OpenWrt image (https://downloads.openwrt.org/releases/22.03.5/targets/x86/64/). We are using one the EFI images:
5. Edit and modify openwrt.conf:
6. Start the VM and attach to its console:
7. If all is well we are now in OpenWRT shell as root. We can then perform OpenWRT initial setup:
8. After rebooting, OpenWRT should be reachable by 192.168.99.2 (Web-GUI and SSH). All that's left to do is to configure a non-routing AP(Dumb AP), continue by following the OpenWRT guide (https://openwrt.org/docs/guide-user/network/wifi/dumbap).
Once the AP is up and running any client connected to it will be getting IP address from OPNsense DHCPD.
I've been running OPNsense at home on a Intel 5105 NUC baremetal and it has a free M.2 slot.
Inspired by @pinako's post (https://forum.opnsense.org/index.php?topic=32813.0) and knowing abysmal WiFi support on FreeBSD, I was set to repurpose the card as a WiFi AP on my OPNsense, by using OpenWRT VM installed on FreeBSD's own hypervisor(bhyve) to manage.
This is a guide how to do it.
Prerequisite:
- OPNsense is running baremetal on a machine capable of IO virtualization and PCI passthrough (IOMMU aka VT-d on Intel, AMD-Vi on AMD).
- FreeBSD repo is enabled
1. Install vm-bhyve (https://github.com/churchers/vm-bhyve) to manage bhyve:
Code: [Select]
pkg install vm-bhyve grub2-bhyve bhyve-firmware
mkdir /home/vm # or 'zfs create pool/vm' if you are using zfs
sysrc vm_enable="YES"
sysrc vm_dir="/home/vm" # or "zfs:pool/vm"
vm init
2. In OPNsense web-GUI:
- Create a bridge interface in OPNsense GUI, assign an interface(eg: LAN1) as a member.
- Assign the newly created bridge iface (eg: bridge0) to a new iface (eg: VM_BRIDGE).
- We should configure IP address on the bridge iface, NOT on member iface. Assign an IP address (eg: 192.168.99.1) to VM_BRIDGE and unassign everything from LAN1.
- Enable DHCPDv4 on VM_BRIDGE, make sure gateway option in DHCPD is set to VM_BRIDGE's address (192.168.99.1).
- Create firewall rule(s) in VM_BRIDGE to pass traffic.
- Add the following tunables (System>Settings>Tunables) to enable filtering on bridge iface and disable filtering on member ifaces:
Code: [Select]
net.link.bridge.pfil_bridge -> 1
net.link.bridge.pfil_member -> 0
3. Create a vm-bhyve switch from our bridge and name it 'public':
Code: [Select]
vm switch create -t manual -b bridge0 public
4. Determine the PCI ID of WiFi device we want to pass through:
Code: [Select]
[root@router ~]# vm passthru
DEVICE BHYVE ID READY DESCRIPTION
hostb0 0/0/0 No -
vgapci0 0/2/0 No JasperLake [UHD Graphics]
none0 0/4/0 No Dynamic Tuning service
xhci0 0/20/0 No -
iwlwifi0 0/20/3 No Wi-Fi 6 AX201 160MHz <--- This!
sdhci_pci0 0/20/5 No -
As we can see the device ID is 0/20/3 and being managed by iwlwifi driver.We need to inform the kernel to exempt the device from loading its driver before we can pass through to OpenWRT, by adding these tunables via web-GUI again:
Code: [Select]
vmm_load -> YES
pptdevs -> 0/20/3
Reboot and verify:Code: [Select]
[root@router ~]# vm passthru
DEVICE BHYVE ID READY DESCRIPTION
hostb0 0/0/0 No -
vgapci0 0/2/0 No JasperLake [UHD Graphics]
none0 0/4/0 No Dynamic Tuning service
xhci0 0/20/0 No -
ppt0 0/20/3 Yes Wi-Fi 6 AX201 160MHz
sdhci_pci0 0/20/5 No -
Good now the device is assigned to ppt driver and ready for use.4. Create OpenWRT VM and download the latest OpenWrt image (https://downloads.openwrt.org/releases/22.03.5/targets/x86/64/). We are using one the EFI images:
Code: [Select]
vm create -s0 openwrt # zero size image
cd /home/vm/openwrt # or /pool/vm/openwrt
rm disk0.img # we won't be using the default created img
fetch https://downloads.openwrt.org/releases/22.03.5/targets/x86/64/openwrt-22.03.5-x86-64-generic-ext4-combined-efi.img.gz
gunzip openwrt-22.03.5-x86-64-generic-ext4-combined-efi.img.gz
5. Edit and modify openwrt.conf:
Code: [Select]
loader="uefi"
cpu=2
memory=512M # 256MB should be enough but just in case
network0_type="virtio-net"
network0_switch="public"
disk0_type="virtio-blk"
disk0_name="openwrt-22.03.5-x86-64-generic-ext4-combined-efi.img"
passthru0="0/20/3=7:0" # We map the device to slot 7 on OpenWrt
*Do not change 'uuid' & 'network0_mac' values6. Start the VM and attach to its console:
Code: [Select]
vm start -f openwrt
7. If all is well we are now in OpenWRT shell as root. We can then perform OpenWRT initial setup:
Code: [Select]
passwd # set root password
/etc/init.d/odhcpd disable # Disable OpenWRT DHCP & DNS servers
/etc/init.d/dnsmasq disable
uci set network.lan.ipaddr='192.168.99.2/24'
uci set network.lan.gateway='192.168.99.1'
uci set network.lan.dns='192.168.99.1'
uci commit
/etc/init.d/network restart
opkg update
opkg install luci
Find the firmware for our device at https://openwrt.org/packages/index/firmware, eg: iwlwifi-firmware-ax210 for Intel AX210Code: [Select]
opkg install kmod-iwlwifi iwlwifi-firmware-ax210 hostapd-openssl
reboot
8. After rebooting, OpenWRT should be reachable by 192.168.99.2 (Web-GUI and SSH). All that's left to do is to configure a non-routing AP(Dumb AP), continue by following the OpenWRT guide (https://openwrt.org/docs/guide-user/network/wifi/dumbap).
Once the AP is up and running any client connected to it will be getting IP address from OPNsense DHCPD.