Updated on 2/24/2025
Internet
|
----------------
| 104.97.193.16 |
| ISP Router |
| 10.10.0.1 |
----------------
|
----------------------------------------------------
| eth0 10.10.0.2 |
| |
| Linux Wireless Access Point |
| |
| wlan0 192.168.4.1 |
----------------------------------------------------
|
~
|
--------------
| wlan |
| 192.168.4.x |
--------------
Steps:
To prevent the NetworkManager from Managing wlan0:
Add the following at the end of /etc/NetworkManager/NetworkManager.conf.
[keyfile]
unmanaged-devices=interface-name:wlan0
To enable packet forwarding, add the following to etc/sysctl.conf
net.ipv4.ip_forward=1
How you assign the AP an ip addresses depends on which network manager you are using, or you can just use the ip commands. For now, we will use the ip commands.
To automate the process, I put the ip commands in a script file, and called the script file from crontab at boot.
My script file is:
ip link dev wlan0 up
ip add address 192.168.4.1/24 brd + dev wlan0
The ip address you assigned here, will be used in the DHCP Server section (next) as the address of the gateway LAN.
Althought the name implies that it is a DNS server, dnsmasq, is also an excellent DHCP server.
Dnsmasq was writen by Simmon Kelley. It was originally released in 2001 (24 years ago) [1]. Lots of people have contributed to it. In 2017, Google, did a bug search using fuzzy logic [4]. They discovered several bug and all were fixed. On 13 Feb 2024 version 2.90 was released [1].
To install dnsmasq:
sudo apt install dnsmasq
To enable it to run at startup:
sudo systemctl unmask dnsmasq
sudo systemctl enable dnsmasq
If the configuration file /etc/dnsmasq.conf exist back it up:
sudo mv /etc/dnsmasq.conf /etc/dnsmasq.conf.org
Create a new /etcmasq.conf file, and place the followin in it:
interface=wlan0 # Listening interface
dhcp-range=192.168.4.2,192.168.4.20,255.255.255.0,24h
# Pool of IP addresses served via DHCP
domain=wlan # Local wireless DNS domain
address=/gw.wlan/192.168.4.1
# Alias for this router
Add the port=0 statement to disable the dns server. Otherwize, ports 53, 67 and 68 will be open.
The dhcp-range statements enable the dhcp server and assigns ip addresses in the stated range. The lease is for 24 hours.
Dnsmasq References:
A simple nft table that performs Network Address Translation (many-to-one) is:
table inet router {
chain postrouting {
type nat hook postrouting priority filter; policy accept;
oifname "eth0" masquerade
}
}
Place the above lines in a file. I named mine /etc/masquerade_eth0.nft
To load and run this file:
sudo nft -f /etc/masquerade_eth0.nft
The Offical Raspberry Pi documenation uses hostapd for this. There is nothing wrong with hostapd, but why install an additional software package when an already install package, wpa_supplicant, will do the same task.
hostapd is a daemon for access point and authentication of wireless servers. It implements IEEE 802.11 access point management.
It was written by Jouni Malinen and contributors [2]. It dates to 2002. There is a man page for it in Debian [3]. There is no man page for hostapd in the Raspberry Pi OS.
To install hostapd:
sudo apt install hostapd
To enable it to run at startup:
sudo systemctl unmask hostapd
sudo systemctl enable hostapd
sudo reboot
You specify the wireless parameters and authentication in hostapd's configuration file. Its location and name are user defined. In the file /etc/default/hostapd, find the line DAEMON_CONF="", uncomment it and specify the full path and name of your configuration file. Warning do not confuse, the last line, DAEMON_OPTS="" with DAMEMON_CONF="".
Hostapd comes with a default configuration file, /etc/hostapd/hostapd.conf. For this reason, the usual procedure is to set DAEMON_CON="" to /etc/hostapd/hostapd.conf. That is:
DAEMON_CONF="/etc/hostapd/hostapd.conf"
However, all the options in the default /etc/hostapd/hostapd.conf are commented out, and it is a long file. Therefore, most people back it up and create their own:
sudo mv /etc/hostapd/hostapd.conf /etc/hostapd/hostapd.conf.bak
sudo vi /etc/hostapd/hostapd.conf
Below is the sample hostapd.conf file that is in the Raspberry older Pi Configuration Documentation [1]:
country_code=GB
interface=wlan0
ssid=NameOfNetwork
hw_mode=g
channel=7
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_passphrase=AardvarkBadgerHedgehog
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
It is for an older wifi "g" network. We now have n, ac, and ax. The line wpa_parwise=TKIP should be commented out. TKIP is part to Wired Equivalent Privacy (WEP), which can easily be cracked.
Below is my template for hostapd.conf file for the Raspberry Pi 4/5 with an 802.11ac radio:
# ------------- Radio ----------------
# the country code
country_code=US
# limit radio frequencies to those allowed in country
ieee80211d=1
# interface used for the AP
interface=wlan0
# network name
ssid=tracker-1
# a is the 5 GHz radio
hw_mode=a
# 801.11ac support
ieee80211ac=1
# 802.11n support
ieee80211n=1
# To specify the raido channel:
channel=149
# To enable auto channel select (ACS)
#channel=0
# QoS support, also required for full speed on 802.11n/ac/ax
wmm_enabled=1
# disable this to insure the AP is visible
ignore_broadcast_ssid=0
# ------ authentication and Encryption-------
# wep has been cracked - do not use 2 or 3
# 1=wpa, 2=wep, 3=both
auth_algs=1
# wpa=2 or wpa=3
wpa=2
wpa_key_mgmt=WPA-PSK
rsn_pairwise=CCMP
# network password
wpa_passphrase=misscoco
# mac address authentication list (macaddr_acl)
# macaddr_acl=0, accepts all mac address unless in hostapd.deny
# The location of hostapd.deny is specified via the line below, which is commented out.
# deny_mac_file=/etc/hostapd.deny
macaddr_acl=0
You should choose your own ssid (tracker-1) and wpa_passphase (misscoco).
Provided that the hardware support it, hostapd has the capability to scan the channels and select the best channel. The pi 4/5 support it. To activate hostapd's auto channel select (ACS), set the channel to 0. The disadvantage of activating ACS, is the length of time it takes to ACS - upwards of 45 seconds. I only recommend using ACS after you have finished troubleshooting, and then only temporarily. That is, after you know the channel or channels ACS is selecting, manually set the channel to one of the selected by ACS channels and avoid the 45 second delay every time you boot.
To determine which channel was selected by ACS:
sudo iw dev wlan0 info
If hostapd runs at startup, you need to stop it, and manually restart it to receive diagnostics.
To stop hostapd:
sudo killall hostapd
To start hostapd:
sudo /usr/sbin/hostapd /etc/hostapd/hostapd.conf
Hostapd References:
Both ip and nft commands require root privileges.
To evoke root's crontab editor:
sudo crontab -e
Add the following line:
@reboot sleep 5s; /etc/ap_address.sh; /usr/sbin/nft -f /etc/masquerade_eth0.nft
sudo reboot
Advantages
Disadvantages
systemd-networkd is more than an DHCP client. It has a built-in DHCP server that can assign ip addresses to clients connected to the AP. For outgoing packets it has built-in Network Address Translation (NAT). Which replaces the client's ip address with the AP's ip address.
If the NetworkManager is your default network manager, then you need to disable it:
sudo systemctl disable --now NetworkManager
If the systemd-networkd package is not installed, you need to install it:
sudo apt install systemd-networkd
sudo systemctl enable -now systemd-networkd
If systemd-resolved package is not installed, install it:
sudo apt install systemd-resolved
sudo system enable --now systemd-resolved
The systemd-resolved daemon stores resolve configuration at /run/systemd/resolve/resolv.conf. Since many applications rely on finding that information at /etc/resolv.conf, it is common practice to create a symlink [1].
sudo ln -sf /run/systemd/resolve/resolv.conf /etc/resolv.conf
Reboot
sudo reboot now
References:
Assign the wireless interface an ip address and configure the built-in DHCP server.
In the /etc/networkd/network directory create a file with the extension ".network" and place the following in that file:
[Match]
Name=wlan0
[Network]
# Assign a static ip address
Address=192.168.4.1/24
#
MulticastDNS=yes
#
DNS=192.168.37.1
# use the built-in Masquerade
IPMasquerade=ipv4
# use the built-in DHCP server
DHCPServer=yes
[DHCPServer]
PoolOffset=100
PoolSize=154
EmitDNS=yes
DNS=192.168.37.1
The IPMasquerade=ipv4 statement, will enable packet forwarding and generate nft tables that will perform NAT.
The DHCPServer statements will assign ip addresses to AP clients.
If both interfaces are ethernet, you can stop here.
All that is left to do is to set up the server's radio and client authentication. For this, there are two options:
Wpa_supplicant can be used as both a server and a client.
To use wpa_supplicant to set up the wireless server and authenticate clients, in the directory /etc/systemd/network create a file wpa_supplicant-wlan0.conf, and place the following in it [4,5,6]:
country=US
ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
update_config=1
network={
# RADIO:
# AP name
ssid="Tracker-1"
# scanning mode
mode=2
# channel 6
frequency=2437
# AUTHENICATION:
#key_mgmt=NONE # uncomment this for an open hotspot
# delete next 3 lines if key_mgmt=NONE
key_mgmt=WPA-PSK
proto=RSN WPA
psk="password"
}
The password is in plain text. Therefore, only allow root to read this file:
sudo chmod 600 /etc/wpa_supplicant/wpa_supplicant-wlan0.conf
Enable the service:
sudo systemctl disable --now wpa_supplicant.service
sudo systemctl enable -- now wpa_supplancant@wlan0.service
Reboot
sudo reboot
For troubleshooting, see reference [4] below.
The instructions are the same as hostapd above.
Systemd-networkd generated two nft tables. One for IPv4 and one for IPv6. They are more complicated than my simple NAT table.
To view the tables:
sudo nft list ruleset
table ip io.systemd.nat {
set masq_saddr {
type ipv4_addr
flags interval
elements = { 192.168.4.0/24 }
}
map map_port_ipport {
type inet_proto . inet_service : ipv4_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip daddr != 127.0.0.0/8 oif "lo" dnat ip to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip saddr @masq_saddr masquerade
}
}
table ip6 io.systemd.nat {
set masq_saddr {
type ipv6_addr
flags interval
}
map map_port_ipport {
type inet_proto . inet_service : ipv6_addr . inet_service
}
chain prerouting {
type nat hook prerouting priority dstnat + 1; policy accept;
fib daddr type local dnat ip6 to meta l4proto . th dport map @map_port_ipport
}
chain output {
type nat hook output priority -99; policy accept;
ip6 daddr != ::1 oif "lo" dnat ip6 to meta l4proto . th dport map @map_port_ipport
}
chain postrouting {
type nat hook postrouting priority srcnat + 1; policy accept;
ip6 saddr @masq_saddr masquerade
}
}
Systemd-networkd is a complete network manager. All of the parmeters are stored in two configuration files: /etc/systemd/network/*.network and /etc/wpa_supplicant/wpa_suplicant-wlan0.conf. Hence, there is no need for crontab to call anything at reboot.
Be aware that some older articles would lead you to believe that systemd-networkd is not a complete network manager. For example, the article in references [11] and [12] uses dnsmasq rather than the built-in DHCPServer, and to implement NAT, Firewalld is used. This article is well written, but conceptionaly it is very misleading.
Systemd-Networkd References:
| 1 | 2402 | 2412 | 2422 |
| 2 | 2407 | 2417 | 2427 |
| 3 | 2412 | 2422 | 2432 |
| 4 | 2417 | 2427 | 2437 |
| 5 | 2422 | 2432 | 2442 |
| 6 | 2427 | 2437 | 2447 |
| 7 | 2432 | 2442 | 2452 |
| 8 | 2437 | 2447 | 2457 |
| 9 | 2442 | 2452 | 2462 |
| 10 | 2447 | 2457 | 2467 |
| 11 | 2452 | 2462 | 2472 |
As stated in the Offical Raspberry Pi Documentatin [1], you can create a hotspot (AP-Routed) with only one command:
sudo nmcli device wifi hotspot ssid example-network-name password example-password
However, they do not inform you that it will not autoconnect on reboot. The profile name for this AP/interface is Hotspot (yes there is an inconsistency - it is captial H here and below). To autoconnect on reboot:
sudo nmcli connection modify Hotspot connection.autoconnect yes
The default ip address for this AP is 10.42.0.1. I do not know how this would work if you had more than one wireless interface.
I highly recommend the following to properly set up a hotspot (AP-Routed):
Before you begin if to set up the wifi interface, confirm that it supports AP mode:
sudo nmcli -f WIFI-PROPERTIES.AP device show wlan0
Name your profile and the ssid. The ssid is required to be on this line:
sudo nmcli connection add type wifi ifname wlan0 con-name profile_AP ssid Tracker-4
If you do not assign an ip address to the AP/interface, it will default to 10.42.x.1.24. To assign an ip address:
sudo nmcli con modify profile_AP ipv4.address 192.168.4.1/24
Set Up AP Mode (shared) :
sudo nmcli connection modify profile_AP ipv4.method shared
Optionally - recommended:
sudo nmcli connection modify profile_AP ipv6.method ignore
Optionally - not recommended:
sudo nmcli connection modify profile_AP ipv4.dns 1.1.1.1
Set Up the Radio (valid bands are either "bg", or "a") :
sudo nmcli connection modify profile_AP 802-11-wireless.mode ap
sudo nmcli connection modify profile_AP 802-11-wireless.band bg
Lean how to use 802-11-wireless.channel-width. NetworkManager curently defaults to the safest, which is the smallest [2]. Valid values for the "a" band are auto (0), 20mhz (20), 40mHz (40), 80 mHz (80).
If you do not assign a channel to your radio, it wil autoscan.
Optional
sudo nmcli connection modify profile_AP 802-11-wireless.channel 1
Set Up Security:
sudo nmcli connection modify profile_AP wifi-sec.key-mgmt wpa-psk
sudo nmcli connection modify profile_AP wifi-sec.pairwise ccmp
sudo nmcli connection modify profile_AP wifi-sec.proto rsn
sudo nmcli connection modify profile_AP wifi-sec.psk 12345678
Bring up the AP:
sudo nmcli connection up profile_AP
It looks like the default is to now autoconnect. So, the command below may not be neccessary.
sudo nmcli connection modify profile_AP connection.autoconnect yes
The best I can determine, NetworkManager currenly does not support a range of addresses to be assigned to clients. This is ironic, since it uses dnsmasq or some form of it, and dnsmasq has this feature. You can however, specify a static ip addresses for a specific client (via mac address). I believe that I read that the NetworkManager hashes the client's mac address to determine the lower part of the ip address it will be assigned. It looks like the NetworkManger also uses wpa_supplicant.
If channel select autoscan was used, you can determine the channel with:
sudo iw dev wlan0 info
To view the profile file:
sudo cat /etc/NetworkManager/system-connections/profile_AP.nmconnection
[connection]
id=profile_AP
uuid=cdaa8553-332e-4ab1-8318-97c79a1b4406
type=wifi
interface-name=wlan0
timestamp=1740158557
[wifi]
band=bg
mode=ap
ssid=Tracker-3
[wifi-security]
key-mgmt=wpa-psk
pairwise=ccmp;
proto=rsn;
psk=12345678
[ipv4]
address1=192.168.4.1/24
method=shared
[ipv6]
addr-gen-mode=default
method=ignore
[proxy]
To view the nft table generated by the NetworkManager for NAT:
sudo nft list ruleset
table ip nm-shared-wlan0 {
chain nat_postrouting {
type nat hook postrouting priority srcnat; policy accept;
ip saddr 192.168.4.0/24 ip daddr != 192.168.4.0/24 masquerade
}
chain filter_forward {
type filter hook forward priority filter; policy accept;
ip daddr 192.168.4.0/24 oifname "wlan0" ct state { established, related } accept
ip saddr 192.168.4.0/24 iifname "wlan0" accept
iifname "wlan0" oifname "wlan0" accept
iifname "wlan0" reject
oifname "wlan0" reject
}
}
NetworkManger References:
+- RPi -------+
+---+ 10.10.0.2 | +- Laptop ----+
| | WLAN AP +-))) (((-+ WLAN Client |
| | Bridge | | 10.10.0.5 |
| +-------------+ +-------------+
+- Router ----+ |
| Firewall | | +- PC#2 ------+
(Internet)---WAN-+ DHCP server +-LAN-+---+ 10.10.0.3 |
| 10.10.0.1 | | +-------------+
+-------------+ |
| +- PC#1 ------+
+---+ 10.10.0.4 |
+-------------+
© Copyright Dr. Ray Franco, PhD, PE | 2006-2025. All rights reserved.
