tdwong/00_Raspberry_Pi_4B_as_AP

## 00_Raspberry_Pi_4B_as_AP
Configure Raspberry Pi 4B as an AP

- use virtual interface wlan0_ap

## rpi4b_as_AP.txt
#
#
#

#
#@ one-time system configuration

# sysctl net.ipv4.ip_forward
net.ipv4.ip_forward = 0
# sysctl net.ipv4.ip_forward=1
net.ipv4.ip_forward = 1

	# echo 1 > /proc/sys/net/ipv4/ip_forward

# grep ip_forward  /etc/sysctl.conf
net.ipv4.ip_forward=1

#
#@ create iptables rules

$ IF_WLAN=wlan0_ap
$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
$ sudo iptables -A FORWARD -i eth0 -o ${IF_WLAN} -m state --state RELATED,ESTABLISHED -j ACCEPT
$ sudo iptables -A FORWARD -i ${IF_WLAN} -o eth0 -j ACCEPT

#
$ sudo iptables -t nat -S
$ sudo iptables -S

$ sudo iptables-save
# Generated by xtables-save v1.8.2 on Wed Aug 19 13:12:41 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A FORWARD -i eth0 -o wlan0_ap -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i wlan0_ap -o eth0 -j ACCEPT
COMMIT
# Completed on Wed Aug 19 13:12:41 2020
# Generated by xtables-save v1.8.2 on Wed Aug 19 13:12:41 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A POSTROUTING -o eth0 -j MASQUERADE
COMMIT
# Completed on Wed Aug 19 13:12:41 2020

#
#@ list wifi capability

# iw info
# iw list | grep -A6 valid
	valid interface combinations:
		 * #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,
		   total <= 3, #channels <= 2
		 * #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,
		   total <= 4, #channels <= 1
	Device supports scan flush.
	Device supports randomizing MAC-addr in sched scans.

#
#@ show current configuration

# iw dev wlan0 info
Interface wlan0
	ifindex 3
	wdev 0x1
	addr dc:a6:32:37:65:2a
	ssid ATT-MINIONS
	type managed
	wiphy 0
	channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz
	txpower 31.00 dBm
# ifconfig wlan0
wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.1.141  netmask 255.255.255.0  broadcast 192.168.1.255
        inet6 2600:1700:cce0:f710:e0ec:4087:b91b:5113  prefixlen 64  scopeid 0x0<global>
        inet6 2600:1700:cce0:f710::32  prefixlen 128  scopeid 0x0<global>
        inet6 fe80::30a3:56f6:6eb1:3c58  prefixlen 64  scopeid 0x20<link>
        ether dc:a6:32:37:65:2a  txqueuelen 1000  (Ethernet)
        RX packets 298123  bytes 30727078 (29.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 20102  bytes 2330494 (2.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#
#@ create virtual wifi interface
#
#	https://superuser.com/q/615664/109777

# iw dev wlan0 interface add wlan0_ap type __ap

	## alternative command via phy interface
	$ sudo iw phy phy0 interface add wlan0_ap type __ap

	## to remove the interface
	$ sudo iw dev wlan0_ap del

# iw dev wlan0_ap info
Interface wlan0_ap
	ifindex 4
	wdev 0x3
	addr dc:a6:32:37:65:2a
	type AP
	wiphy 0
	channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz
	txpower 31.00 dBm

# ifconfig wlan0_ap hw ether dc:a6:32:37:65:2b

# ifconfig wlan0_ap
wlan0_ap: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        ether dc:a6:32:37:65:2b  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#
#@ configure virtual wifi interface

# ifconfig wlan0_ap 192.168.240.1/24 up

# ifconfig wlan0_ap
wlan0_ap: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 192.168.240.1  netmask 255.255.255.0  broadcast 192.168.240.255
        ether dc:a6:32:37:65:2b  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

#
#@ required software packages

[optional] # apt-get install -y hostapd dnsmasq

#
#@ configure dnsmasq

# cat > /etc/dnsmasq.conf <<-_eof_
	# dnsmasq using wlan0_ap
	dhcp-mac=set:client_is_a_pi,B8:27:EB:*:*:*
	dhcp-reply-delay=tag:client_is_a_pi,2
	interface=wlan0_ap
	server=8.8.8.8  # use Google DNS
	dhcp-range=192.168.240.50,192.168.240.150,12h   # DHCP IP range & lease time
_eof_

#
#@ configure hostapd (2.7 required for WPA3)

# cat > /etc/hostapd/hostapd.conf <<-_eof_
	# hostapd using wlan0_ap
	interface=wlan0_ap
	ssid=WPA3-Network
	hw_mode=g
	channel=1
	macaddr_acl=0
	ignore_broadcast_ssid=0
	auth_algs=1
	wpa=2
	wpa_passphrase=123456789a
	wpa_key_mgmt=WPA-PSK
	rsn_pairwise=CCMP
	driver=nl80211
	ctrl_interface=/var/run/hostapd
	ctrl_interface_group=0
_eof_

#
#@ start dnsmasq and hostapd

# service dnsmasq restart
root@rpi4b:/home/pi # service dnsmasq status
● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-08-19 02:12:08 BST; 24s ago
  Process: 6357 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
  Process: 6358 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 6367 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
 Main PID: 6366 (dnsmasq)
    Tasks: 1 (limit: 4915)
   Memory: 1.3M
   CGroup: /system.slice/dnsmasq.service
           └─6366 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.d

Aug 19 02:12:08 rpi4b dnsmasq[6366]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth
Aug 19 02:12:08 rpi4b dnsmasq-dhcp[6366]: DHCP, IP range 192.168.240.50 -- 192.168.240.150, lease time 12h
Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 8.8.8.8#53
Aug 19 02:12:08 rpi4b dnsmasq[6366]: reading /run/dnsmasq/resolv.conf
Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 8.8.8.8#53
Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 192.168.1.254#53
Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 2600:1700:cce0:f710::1#53
Aug 19 02:12:08 rpi4b dnsmasq[6366]: read /etc/hosts - 5 addresses
Aug 19 02:12:08 rpi4b dnsmasq[6367]: Too few arguments.
Aug 19 02:12:08 rpi4b systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

$ sudo systemctl status hostapd
$ sudo systemctl unmask hostapd
$ sudo systemctl enable hostapd
$ sudo systemctl start  hostapd

$ sudo systemctl status hostapd
● hostapd.service - Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
   Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)
   Active: active (running) since Wed 2020-08-19 13:26:08 PDT; 2s ago
  Process: 10854 ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF} (code=exited, status=0/SUCCESS)
 Main PID: 10856 (hostapd)
    Tasks: 1 (limit: 4915)
   Memory: 484.0K
   CGroup: /system.slice/hostapd.service
           └─10856 /usr/sbin/hostapd -B -P /run/hostapd.pid -B /etc/hostapd/hostapd.conf

Aug 19 13:26:08 rpi4b systemd[1]: Starting Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator...
Aug 19 13:26:08 rpi4b hostapd[10854]: Configuration file: /etc/hostapd/hostapd.conf
Aug 19 13:26:08 rpi4b hostapd[10854]: wlan0_ap: Could not connect to kernel driver
Aug 19 13:26:08 rpi4b hostapd[10854]: Using interface wlan0_ap with hwaddr dc:a6:32:37:65:2b and ssid "WPA3-Network"
Aug 19 13:26:08 rpi4b hostapd[10854]: wlan0_ap: interface state UNINITIALIZED->ENABLED
Aug 19 13:26:08 rpi4b hostapd[10854]: wlan0_ap: AP-ENABLED
Aug 19 13:26:08 rpi4b systemd[1]: Started Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator.


	## debug use command line
	$ sudo dnsmasq --no-daemon --log-queries

	## use command line
	$ sudo dnsmasq --interface=wlan0_ap --dhcp-range=192.168.240.50,192.168.240.150,12h --server=8.8.8.8
	$ sudo hostapd -dd -K -t /etc/hostapd/hostapd.conf

#
#@	OPEN ISSUE
#

	- Pixel3 can successfully join (via hostapd) and acquire an IP address (via dnsmasq)'
	  but still shows "Connected, no internet"

	  -- weird solution:

		$ sudo tcpdump -iwlan0_ap -xx
	Configure Raspberry Pi 4B as an AP

	- use virtual interface wlan0_ap
	#
	#
	#

	#
	#@ one-time system configuration

	# sysctl net.ipv4.ip_forward
	net.ipv4.ip_forward = 0
	# sysctl net.ipv4.ip_forward=1
	net.ipv4.ip_forward = 1

	# echo 1 > /proc/sys/net/ipv4/ip_forward

	# grep ip_forward /etc/sysctl.conf
	net.ipv4.ip_forward=1

	#
	#@ create iptables rules

	$ IF_WLAN=wlan0_ap
	$ sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
	$ sudo iptables -A FORWARD -i eth0 -o ${IF_WLAN} -m state --state RELATED,ESTABLISHED -j ACCEPT
	$ sudo iptables -A FORWARD -i ${IF_WLAN} -o eth0 -j ACCEPT

	#
	$ sudo iptables -t nat -S
	$ sudo iptables -S

	$ sudo iptables-save
	# Generated by xtables-save v1.8.2 on Wed Aug 19 13:12:41 2020
	*filter
	:INPUT ACCEPT [0:0]
	:FORWARD ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A FORWARD -i eth0 -o wlan0_ap -m state --state RELATED,ESTABLISHED -j ACCEPT
	-A FORWARD -i wlan0_ap -o eth0 -j ACCEPT
	COMMIT
	# Completed on Wed Aug 19 13:12:41 2020
	# Generated by xtables-save v1.8.2 on Wed Aug 19 13:12:41 2020
	*nat
	:PREROUTING ACCEPT [0:0]
	:INPUT ACCEPT [0:0]
	:POSTROUTING ACCEPT [0:0]
	:OUTPUT ACCEPT [0:0]
	-A POSTROUTING -o eth0 -j MASQUERADE
	COMMIT
	# Completed on Wed Aug 19 13:12:41 2020

	#
	#@ list wifi capability

	# iw info
	# iw list \| grep -A6 valid
	valid interface combinations:
	* #{ managed } <= 1, #{ P2P-device } <= 1, #{ P2P-client, P2P-GO } <= 1,
	total <= 3, #channels <= 2
	* #{ managed } <= 1, #{ AP } <= 1, #{ P2P-client } <= 1, #{ P2P-device } <= 1,
	total <= 4, #channels <= 1
	Device supports scan flush.
	Device supports randomizing MAC-addr in sched scans.

	#
	#@ show current configuration

	# iw dev wlan0 info
	Interface wlan0
	ifindex 3
	wdev 0x1
	addr dc:a6:32:37:65:2a
	ssid ATT-MINIONS
	type managed
	wiphy 0
	channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz
	txpower 31.00 dBm
	# ifconfig wlan0
	wlan0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
	inet 192.168.1.141 netmask 255.255.255.0 broadcast 192.168.1.255
	inet6 2600:1700:cce0:f710:e0ec:4087:b91b:5113 prefixlen 64 scopeid 0x0<global>
	inet6 2600:1700:cce0:f710::32 prefixlen 128 scopeid 0x0<global>
	inet6 fe80::30a3:56f6:6eb1:3c58 prefixlen 64 scopeid 0x20<link>
	ether dc:a6:32:37:65:2a txqueuelen 1000 (Ethernet)
	RX packets 298123 bytes 30727078 (29.3 MiB)
	RX errors 0 dropped 0 overruns 0 frame 0
	TX packets 20102 bytes 2330494 (2.2 MiB)
	TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

	#
	#@ create virtual wifi interface
	#
	# https://superuser.com/q/615664/109777

	# iw dev wlan0 interface add wlan0_ap type __ap

	## alternative command via phy interface
	$ sudo iw phy phy0 interface add wlan0_ap type __ap

	## to remove the interface
	$ sudo iw dev wlan0_ap del

	# iw dev wlan0_ap info
	Interface wlan0_ap
	ifindex 4
	wdev 0x3
	addr dc:a6:32:37:65:2a
	type AP
	wiphy 0
	channel 11 (2462 MHz), width: 20 MHz, center1: 2462 MHz
	txpower 31.00 dBm

	# ifconfig wlan0_ap hw ether dc:a6:32:37:65:2b

	# ifconfig wlan0_ap
	wlan0_ap: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
	ether dc:a6:32:37:65:2b txqueuelen 1000 (Ethernet)
	RX packets 0 bytes 0 (0.0 B)
	RX errors 0 dropped 0 overruns 0 frame 0
	TX packets 0 bytes 0 (0.0 B)
	TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

	#
	#@ configure virtual wifi interface

	# ifconfig wlan0_ap 192.168.240.1/24 up

	# ifconfig wlan0_ap
	wlan0_ap: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
	inet 192.168.240.1 netmask 255.255.255.0 broadcast 192.168.240.255
	ether dc:a6:32:37:65:2b txqueuelen 1000 (Ethernet)
	RX packets 0 bytes 0 (0.0 B)
	RX errors 0 dropped 2 overruns 0 frame 0
	TX packets 0 bytes 0 (0.0 B)
	TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

	#
	#@ required software packages

	[optional] # apt-get install -y hostapd dnsmasq

	#
	#@ configure dnsmasq

	# cat > /etc/dnsmasq.conf <<-_eof_
	# dnsmasq using wlan0_ap
	dhcp-mac=set:client_is_a_pi,B8:27:EB:::*
	dhcp-reply-delay=tag:client_is_a_pi,2
	interface=wlan0_ap
	server=8.8.8.8 # use Google DNS
	dhcp-range=192.168.240.50,192.168.240.150,12h # DHCP IP range & lease time
	_eof_

	#
	#@ configure hostapd (2.7 required for WPA3)

	# cat > /etc/hostapd/hostapd.conf <<-_eof_
	# hostapd using wlan0_ap
	interface=wlan0_ap
	ssid=WPA3-Network
	hw_mode=g
	channel=1
	macaddr_acl=0
	ignore_broadcast_ssid=0
	auth_algs=1
	wpa=2
	wpa_passphrase=123456789a
	wpa_key_mgmt=WPA-PSK
	rsn_pairwise=CCMP
	driver=nl80211
	ctrl_interface=/var/run/hostapd
	ctrl_interface_group=0
	_eof_

	#
	#@ start dnsmasq and hostapd

	# service dnsmasq restart
	root@rpi4b:/home/pi # service dnsmasq status
	● dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
	Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
	Active: active (running) since Wed 2020-08-19 02:12:08 BST; 24s ago
	Process: 6357 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
	Process: 6358 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
	Process: 6367 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
	Main PID: 6366 (dnsmasq)
	Tasks: 1 (limit: 4915)
	Memory: 1.3M
	CGroup: /system.slice/dnsmasq.service
	└─6366 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.d

	Aug 19 02:12:08 rpi4b dnsmasq[6366]: compile time options: IPv6 GNU-getopt DBus i18n IDN DHCP DHCPv6 no-Lua TFTP conntrack ipset auth
	Aug 19 02:12:08 rpi4b dnsmasq-dhcp[6366]: DHCP, IP range 192.168.240.50 -- 192.168.240.150, lease time 12h
	Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 8.8.8.8#53
	Aug 19 02:12:08 rpi4b dnsmasq[6366]: reading /run/dnsmasq/resolv.conf
	Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 8.8.8.8#53
	Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 192.168.1.254#53
	Aug 19 02:12:08 rpi4b dnsmasq[6366]: using nameserver 2600:1700:cce0:f710::1#53
	Aug 19 02:12:08 rpi4b dnsmasq[6366]: read /etc/hosts - 5 addresses
	Aug 19 02:12:08 rpi4b dnsmasq[6367]: Too few arguments.
	Aug 19 02:12:08 rpi4b systemd[1]: Started dnsmasq - A lightweight DHCP and caching DNS server.

	$ sudo systemctl status hostapd
	$ sudo systemctl unmask hostapd
	$ sudo systemctl enable hostapd
	$ sudo systemctl start hostapd

	$ sudo systemctl status hostapd
	● hostapd.service - Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
	Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)
	Active: active (running) since Wed 2020-08-19 13:26:08 PDT; 2s ago
	Process: 10854 ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF} (code=exited, status=0/SUCCESS)
	Main PID: 10856 (hostapd)
	Tasks: 1 (limit: 4915)
	Memory: 484.0K
	CGroup: /system.slice/hostapd.service
	└─10856 /usr/sbin/hostapd -B -P /run/hostapd.pid -B /etc/hostapd/hostapd.conf

	Aug 19 13:26:08 rpi4b systemd[1]: Starting Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator...
	Aug 19 13:26:08 rpi4b hostapd[10854]: Configuration file: /etc/hostapd/hostapd.conf
	Aug 19 13:26:08 rpi4b hostapd[10854]: wlan0_ap: Could not connect to kernel driver
	Aug 19 13:26:08 rpi4b hostapd[10854]: Using interface wlan0_ap with hwaddr dc:a6:32:37:65:2b and ssid "WPA3-Network"
	Aug 19 13:26:08 rpi4b hostapd[10854]: wlan0_ap: interface state UNINITIALIZED->ENABLED
	Aug 19 13:26:08 rpi4b hostapd[10854]: wlan0_ap: AP-ENABLED
	Aug 19 13:26:08 rpi4b systemd[1]: Started Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator.


	## debug use command line
	$ sudo dnsmasq --no-daemon --log-queries

	## use command line
	$ sudo dnsmasq --interface=wlan0_ap --dhcp-range=192.168.240.50,192.168.240.150,12h --server=8.8.8.8
	$ sudo hostapd -dd -K -t /etc/hostapd/hostapd.conf

	#
	#@ OPEN ISSUE
	#

	- Pixel3 can successfully join (via hostapd) and acquire an IP address (via dnsmasq)'
	but still shows "Connected, no internet"

	-- weird solution:

	$ sudo tcpdump -iwlan0_ap -xx