Ask Ubuntu Asked by Zion Green on November 18, 2021
I created a wireless AP with hostapd with configuration saved in a file called hostapd-test.conf. When I run the file with sudo hostapd ~/hostapd-test.conf I can see the AP by scanning for Wi-Fi connections from my Android phone. The problem is when I try to connect to the network I don’t receive an IP address. I suspect that the DHCP server configuration is wrong or that I am not executing it correctly. I have followed the tutorials on how to setup a wireless network, but they just ended up confusing me more.
To summarize my question:
Via NetworkManager: Share Wireless connection with Wired Ethernet Port
However I can tell you how to do it if you want to configure everything manually. From your question it seems you have already started on this path.
First of all pick and set a static IP address on the WiFi interface. Let's say it's wlan0 with address 192.168.44.1 with netmask 255.255.255.0 (i.e. /24). You need to either set it in NetworkManager for wlan0, or in /etc/network/interfaces:
auto wlan0
iface wlan0 inet static
address 192.168.44.1
netmask 255.255.255.0
# Use a smaller MTU if you use VPN or PPPoE on your WAN
# mtu 1400
If you set it in /etc/network/interfaces, you can bring the interface up with:
sudo ifup wlan0
Or bring it down:
sudo ifdown wlan0
Then install a DHCP server:
sudo apt-get install isc-dhcp-server
Edit /etc/dhcp/dhcpd.conf:
default-lease-time 600;
max-lease-time 7200;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.44.255;
# This is the IP address of our LAN interface
option routers 192.168.44.1;
# Set the DNS server you offer to the hosts here, or you can leave Google's:
option domain-name-servers 8.8.8.8;
# If you want to use a domain name, put it here:
#option domain-name "example.com";
# This is the pool of addresses which will be offered to the clients:
subnet 192.168.44.0 netmask 255.255.255.0 {
range 192.168.44.100 192.168.44.200;
# Use a smaller MTU if you use VPN or PPPoE on the router
# option interface-mtu 1400;
}
Start it:
service isc-dhcp-server restart
You have 2 options:
echo 1 > /proc/sys/net/ipv4/ip_forward
or edit /etc/sysctl.conf and set net.ipv4.ip_forward=1 then run sysctl -p
This is what you need to do:
Allowing DHCP and ping traffic through the firewall is required only if you have changed the defaults in Ubuntu, otherwise it will just work. Otherwise basically the fix is:
sudo iptables -I INPUT -i wlan0 -p udp --dport 67:68 --sport 67:68 -j ACCEPT
sudo iptables -I INPUT -i wlan0 -p icmp --icmp-type 8 -j ACCEPT
(UDP ports 67 and 68 are for DHCP, the second command is ICMP type 8 a.k.a ping)
I don't know how much you now about the firewall so here is a brief intro.
You can inspect the firewall rules with:
sudo iptables -L -n -v --line-numbers
Packets will end up in 3 possible situations, which are called "chains":
Each chain can be in 2 modes:
Normally you want:
Additionally you need to add a rule that does NAT. That is very simple, e.g. if eth0 is your WAN interface:
iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
You can list NAT rules with:
iptables -t nat -L -n -v --line-numbers
What exactly needs to be done to get there depends on how your system is already configured. Normally I create a script that wipes out all the existent rules and fills everything from scratch.
# Set the correct names of the interfaces here:
wan=eth0
lan=wlan0
# Wipe out the current firewall config:
iptables -t filter -F
iptables -t filter -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X
iptables -t raw -F
iptables -t raw -X
# Set default policies for the chains in the filter table:
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
# INPUT (basic client)
# Allow loopback traffic (from us to us)
iptables -A INPUT -i lo -j ACCEPT
# Allow replies to traffic we have sent
iptables -A INPUT -m conntrack --ctstate related,established -j ACCEPT
# INPUT (router)
# Allow DHCP from LAN
iptables -I INPUT -i $lan -p udp --dport 67:68 --sport 67:68 -j ACCEPT
# Allow ping from LAN
iptables -I INPUT -i $lan -p icmp --icmp-type 8 -j ACCEPT
# FORWARD (router)
# Accept any traffic coming from LAN to route it
iptables -A FORWARD -i $lan -j ACCEPT
# Accept replies from WAN to traffic we routed from LAN
iptables -A FORWARD -i $wan -m state --state ESTABLISHED,RELATED -j ACCEPT
# NAT from LAN to WAN
iptables -t nat -A POSTROUTING -o $wan -j MASQUERADE
You need to secure your network properly. It is important that WPA is set to 2 (WPA2) and that the pairwise algorithms use only CCMP (AES) and not TKIP (insecure). Also, use a complicated passphrase. Here is an example config /etc/hostapd/hostapd.conf
:
interface=wlan0
driver=nl80211
country_code=US
ssid=Home
hw_mode=g
channel=7
wpa=2
wpa_passphrase=complicated
wpa_key_mgmt=WPA-PSK
wpa_pairwise=CCMP
rsn_pairwise=CCMP
auth_algs=1
macaddr_acl=0
What you will probably use differently is driver, ssid, maybe hw_mode, channel and of course wpa_passphrase. wpa_pairwise is actually not needed. Might be worth looking at https://wiki.gentoo.org/wiki/Hostapd (yeah a different distro but they usually have good examples).
You might want to look into lowering your latency and QoS. Usually something like this helps, in the worst case it does not hurt and does not need tweaking:
ifconfig wlan0 txqueuelen 50
tc qdisc add dev wlan0 root sfq perturb 10
tc qdisc add dev eth0 root sfq perturb 10
No clue :)
Answered by o9000 on November 18, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP