Wifi access point with traffic routed through ethernet
This guide will set up the pi as a wifi access point/router that will forward all traffic received on the wifi interface through the ethernet interface.
Wifi interface requirements
The wifi interface will need to support working as an access point. To check for this follow these steps:
iw list- Look for the "Supported interface modes"
APshould be one of the modes
If your devices also support "combinations" of interface modes, you could set it up as a repeater for an existing wifi network, instead of creating a new network, see this.
Set up access point
We need to set up a wireless network, with the pi as access point.
apt-install hostapd- Edit or create
/etc/hostapd/hostapd.conf, see documentation for it here. Commonly you should set:interface={your network interface (e.g. wlan0)}driver=nl80211(general driver, works for almost everything)ssid={name of the network}put something funny herehw_mode={a, b or g}gis the most common setupcountry_code={ISO code for your country}this sets allowed channels and transmitting power.channel={channel number}choose the channel number so that it has minimum overlap with existing networks: channels are 2 wide on each side, so if an existing network is on channel 6, you can choose 1 or 11. See this list for channels you are allowed to use in your country (in general between 1-11 for US, 1-13 rest of the world).- For WPA2 security:
wpa_passphrase={Your Passphrase, beware that there's a minimum length requirement}
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=2
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
- Edit
/etc/default/hostapdso that hostapd can be started as a service:- Set
DAEMON_CONF="/etc/hostapd/hostapd.conf"
- Set
- Deactivate any existing wifi connection managed by wpa_supplicant
- Edit
/etc/wpa_supplicant/wpa_supplicant.confand comment any existing network settings - (I am not sure this is the best way to do it)
service wpa_supplicant stopkillall wpa_supplicant(the previous command may not actually kill the process)service wpa_supplicant start(so that it will reload the new configuration)
- Edit
systemctl start hostapdto start the daemonsystemctl enable hostapdto start hostapd on boot
Setting static wireless interface address
First, we need to set the pi so it has a static address on the wifi interface.
You must not modify /etc/network/interfaces directly. This used to work, but the latest versions of the pi's dhcp client will ignore these modifications and set up a different address.
- Add the following lines to
/etc/dhcpcd.conf:
# Settings for wifi interface
interface wlan0
#Setting static ip address:
static ip_address={ip address}/{netmask}
service hostapd restart
DHCP server on wireless network
The dhcp server will provide computers who connect on the wireless network with addresses.
- Install the server
apt install isc-dhcp-server
- Edit
/etc/dhcp/dhcpd.confaccording to your desired configuration. You may want to edit in particular:option domain-nameto what your network is calledoption domain-name-serversto the default dns servers of your networkauthoritativedirective. The pi should be the autoritative dhcp server on the wireless network, so uncomment it.- Add a subnet definition: an example one can be:
subnet 10.5.5.0 netmask 255.255.255.0 {
range 10.5.5.20 10.5.5.30;
option routers 10.5.5.1;
option broadcast-address 10.5.5.255;
}
- Enable the dhcp server on the wireless interface:
- Edit
/etc/default/isc-dhcp-server - Set
INTERFACESv{4 or 6}="{wireless interface name}" systemctl start isc-dhcp-server: make sure hostapd has been started and the static ip address has been assigned before running this command, otherwise it will fail
- Edit
systemctl enable isc-dhcp-server- Make sure that incoming traffic on port 67/UDP is allowed so the server can be reached.
Forward wireless traffic through ethernet
We set up a network. It would be nice if the pi could act as a gateway so that packets received on the network could be forwarded to the internet.
- Enable packet forwarding:
echo 1 > /proc/sys/net/ipv4/ip_forward
- Make that change permanent across reboots:
- Edit
/etc/sysctl.conf - Set
net.ipv4.ip_forward=1
- Edit
- Use iptables to set up NAT:
iptables -t filter -A FORWARD -s {wifi ip pool} -j ACCEPT: allow traffic coming from the wireless network to pass through.iptables -t filter -A FORWARD -d {wifi ip pool} -m state --state ESTABLISHED,RELATED -j ACCEPT: allow traffic from outside the wireless network at destination of the wireless network to pass through, if it is in response of an outgoing connection.iptables -t nat -A POSTROUTING -s {wireless ip pool} -j MASQUERADE: set up the address translation.
Reset the pi to a pre-routing state
If you want to reset all we did, so that your pi won't be a router anymore, follow these steps.
- Disable packet forwarding:
echo 0 > /proc/sys/net/ipv4/ip_forward- Edit
/etc/sysctl.conf: setnet.ipv4.ip_forward=0(or just comment the line setting it to 1)
- Reset iptables
- Delete the two
ACCEPTrules in tablefilter, chainFORWARD. - Delete the
MASQUERADErule in tablenat, chainPOSTROUTING. - Delete the
ACCEPTrule for port67/udpin tablefilter, chainINPUT. - Eventually other rules that you may have created related to routing (e.g. in nat/prerouting)
- Delete the two
- Reset dhcp server configuration
systemctl disable isc-dhcp-serverto disable running at bootsystemctl stop isc-dhcp-serverto stop it from running now- Eventually reset
/etc/dhcp/dhcpd.confto its default value (even though it's not necessary since the server isn't running) - Eventually reset
/etc/default/isc-dhcp-serverto its default value (even though it's not necessary since the server isn't running)
- Disable static address:
- Edit
/etc/dhcpcd.conf: delete the configuration for the wireless interface.
- Edit
- Disable hostapd
systemctl stop hostapdsystemctl disable hostapd- Eventually reset
/etc/default/hostapdto its default value (even though it's not necessary since the server isn't running) - Eventually uncomment any line you commented in
/etc/wpa_supplicant/wpa_supplicant.conf - Reboot the pi