TransWikia.com

Wi-Fi access point not supplying IP addresses to clients

Ask Ubuntu Asked by Zion Green on November 18, 2021

I created a wireless AP with hostapd with configuration saved in a file called hostapd-test.conf. When I run the file with sudo hostapd ~/hostapd-test.conf I can see the AP by scanning for Wi-Fi connections from my Android phone. The problem is when I try to connect to the network I don’t receive an IP address. I suspect that the DHCP server configuration is wrong or that I am not executing it correctly. I have followed the tutorials on how to setup a wireless network, but they just ended up confusing me more.

To summarize my question:

  1. How do I correctly configure a basic DHCP server and run it correctly
  2. When I set up a wifi network, what setting or changes should I keep in mind eg. changing firewall setting, setting up interfaces.
  3. Can it be that Network-Manager is messing with my configuration?

One Answer

Via NetworkManager: Share Wireless connection with Wired Ethernet Port

However I can tell you how to do it if you want to configure everything manually. From your question it seems you have already started on this path.

1. How do I correctly configure a basic DHCP server and run it correctly

First of all pick and set a static IP address on the WiFi interface. Let's say it's wlan0 with address 192.168.44.1 with netmask 255.255.255.0 (i.e. /24). You need to either set it in NetworkManager for wlan0, or in /etc/network/interfaces:

auto wlan0
iface wlan0 inet static
    address 192.168.44.1
    netmask 255.255.255.0
    # Use a smaller MTU if you use VPN or PPPoE on your WAN
    # mtu 1400

If you set it in /etc/network/interfaces, you can bring the interface up with:

sudo ifup wlan0

Or bring it down:

sudo ifdown wlan0

Then install a DHCP server:

sudo apt-get install isc-dhcp-server

Edit /etc/dhcp/dhcpd.conf:

default-lease-time 600;
max-lease-time 7200;

option subnet-mask 255.255.255.0;
option broadcast-address 192.168.44.255;

# This is the IP address of our LAN interface
option routers 192.168.44.1;

# Set the DNS server you offer to the hosts here, or you can leave Google's:
option domain-name-servers 8.8.8.8;

# If you want to use a domain name, put it here:
#option domain-name "example.com";

# This is the pool of addresses which will be offered to the clients:
subnet 192.168.44.0 netmask 255.255.255.0 {
    range 192.168.44.100 192.168.44.200;
    # Use a smaller MTU if you use VPN or PPPoE on the router
    # option interface-mtu 1400;
}

Start it:

service isc-dhcp-server restart

2. Enable routing

You have 2 options:

echo 1 > /proc/sys/net/ipv4/ip_forward

or edit /etc/sysctl.conf and set net.ipv4.ip_forward=1 then run sysctl -p

3. Firewall settings

This is what you need to do:

  • block stuff coming from WAN that you don't want (optional but recommended)
  • allow traffic from the router to the WAN (nothing special)
  • allow replies from the WAN to traffic your router has sent (nothing special)
  • allow DHCP and ping traffic from the LAN interface (wlan0 in your case) so that hosts can connect to the router
  • allow traffic coming from the LAN and going through the WAN to be routed through you
  • allow traffic coming from the WAN and going through the WAN and is a reply to traffic you routed to be routed through you
  • do NAT on the machine so that hosts from the LAN can access the Internet sharing your IP address

Allowing DHCP and ping traffic through the firewall is required only if you have changed the defaults in Ubuntu, otherwise it will just work. Otherwise basically the fix is:

sudo iptables -I INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
sudo iptables -I INPUT -i wlan0 -p icmp --icmp-type 8 -j ACCEPT

(UDP ports 67 and 68 are for DHCP, the second command is ICMP type 8 a.k.a ping)

I don't know how much you now about the firewall so here is a brief intro.

You can inspect the firewall rules with:

sudo iptables -L -n -v --line-numbers

Packets will end up in 3 possible situations, which are called "chains":

  • INPUT is what comes from outside your machine to your machine (except the routed packets)
  • OUTPUT is what goes out from your machine (except the routed packets)
  • FORWARD is what comes/goes from/to your machine due to routing

Each chain can be in 2 modes:

  • policy ACCEPT means that unless there is a rule matching the packet and calling DROP, the packet will go through the chain
  • policy DROP means that unless there is a rule matching the packet and calling ACCEPT, the packet will be dropped by the chain

Normally you want:

  • OUTPUT to be in ACCEPT mode;
  • FORWARD to be in DROP mode and you add rules to allow traffic to go out from your LAN to the WAN, and also allow reply traffic to get through from WAN to LAN;
  • INPUT to be in DROP mode except for allowing DHCP and ping from LAN, allowing replies to traffic sent from the router to WAN and optionally opening ports for server applications (if you want to run a web server for instance).

Additionally you need to add a rule that does NAT. That is very simple, e.g. if eth0 is your WAN interface:

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

You can list NAT rules with:

iptables -t nat -L -n -v --line-numbers

What exactly needs to be done to get there depends on how your system is already configured. Normally I create a script that wipes out all the existent rules and fills everything from scratch.

The full thing, heavily commented:

# Set the correct names of the interfaces here:
wan=eth0
lan=wlan0

# Wipe out the current firewall config:
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X

# Set default policies for the chains in the filter table:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT

# INPUT (basic client)
# Allow loopback traffic (from us to us)
iptables -A INPUT -i lo -j ACCEPT
# Allow replies to traffic we have sent
iptables -A INPUT -m conntrack --ctstate related,established -j ACCEPT

# INPUT (router)
# Allow DHCP from LAN
iptables -I INPUT -i $lan -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Allow ping from LAN
iptables -I INPUT -i $lan -p icmp --icmp-type 8 -j ACCEPT


# FORWARD (router)
# Accept any traffic coming from LAN to route it
iptables -A FORWARD -i $lan -j ACCEPT
# Accept replies from WAN to traffic we routed from LAN
iptables -A FORWARD -i $wan -m state --state ESTABLISHED,RELATED -j ACCEPT

# NAT from LAN to WAN
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE

4. More about hostapd

You need to secure your network properly. It is important that WPA is set to 2 (WPA2) and that the pairwise algorithms use only CCMP (AES) and not TKIP (insecure). Also, use a complicated passphrase. Here is an example config /etc/hostapd/hostapd.conf:

interface=wlan0
driver=nl80211
country_code=US
ssid=Home
hw_mode=g
channel=7
wpa=2
wpa_passphrase=complicated
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0

What you will probably use differently is driver, ssid, maybe hw_mode, channel and of course wpa_passphrase. wpa_pairwise is actually not needed. Might be worth looking at https://wiki.gentoo.org/wiki/Hostapd (yeah a different distro but they usually have good examples).

5. Some extras

You might want to look into lowering your latency and QoS. Usually something like this helps, in the worst case it does not hurt and does not need tweaking:

ifconfig wlan0 txqueuelen 50
tc qdisc add dev wlan0 root sfq perturb 10
tc qdisc add dev eth0 root sfq perturb 10

6. IPv6

No clue :)

Answered by o9000 on November 18, 2021

Add your own answers!

Ask a Question

Get help from others!

© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP