About

I was out of access points with external antennas, so I tried to use a Raspberry Pi 3 with an USB-Wifi-Stick as an access point.

Setup

• Download the latest OS for your Pi: https://www.raspberrypi.com/software/
• Insert your SD-Card while watching dmesg -w or use fdisk -l to find your device. In my case it's /dev/sda
• Copy the image to the SD-card: dd if=2024-03-15-raspios-bookworm-arm64-lite.img of=/dev/sda bs=1M
• Insert into the pi, power it up
• Complete basic setup: Choose keyboard layout, create user, enable sshd a.s.o. (raspi-config)
• apt-get update && apt-get upgrade
• apt-get install hostapd dnsutils traceroute bridge-utils dhcp-helper

Connecting WiFi-Stick

First try connecting the stick

dmesg -w should show something like this:

[  132.306961] usb 1-1.2: new high-speed USB device number 6 using dwc_otg
[  132.407915] usb 1-1.2: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00
[  132.407939] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[  132.407948] usb 1-1.2: Product: 802.11n NIC
[  132.407954] usb 1-1.2: Manufacturer: Realtek
[  132.407960] usb 1-1.2: SerialNumber: 123456

lsusb | grep WLAN should show something like this:

Bus 001 Device 008: ID 0bda:8812 Realtek Semiconductor Corp. RTL8812AU 802.11a/b/g/n/ac 2T2R DB WLAN Adapter

You might want to check apt-get install firmware-realtek (depends on device model)

Realtek 8812 model

I seem to have a Realtek 8812-knockoff, so they pointed me to https://github.com/aircrack-ng/rtl8812au

# apt-get install git dkms
$ mkdir dev &6 cd dev
$ git clone -b v5.6.4.2 https://github.com/aircrack-ng/rtl8812au.git
$ cd rtl*
# make dkms_install
mkdir: created directory '/usr/src/8812au-5.6.4.2_35491.20191025'
cp -r * /usr/src/8812au-5.6.4.2_35491.20191025
dkms add -m 8812au -v 5.6.4.2_35491.20191025
Creating symlink /var/lib/dkms/8812au/5.6.4.2_35491.20191025/source -> /usr/src/8812au-5.6.4.2_35491.20191025
dkms build -m 8812au -v 5.6.4.2_35491.20191025
Sign command: /lib/modules/6.6.20+rpt-rpi-v8/build/scripts/sign-file
Signing key: /var/lib/dkms/mok.key
Public certificate (MOK): /var/lib/dkms/mok.pub
Certificate or key are missing, generating self signed certificate for MOK...

Building module:
Cleaning build area...
'make' -j4 KVER=6.6.20+rpt-rpi-v8 KSRC=/lib/modules/6.6.20+rpt-rpi-v8/build.......................................................................................................................................................................................................................
Signing module /var/lib/dkms/8812au/5.6.4.2_35491.20191025/build/88XXau.ko
Cleaning build area...
dkms install -m 8812au -v 5.6.4.2_35491.20191025

88XXau.ko.xz:
Running module version sanity check.
- Original module
 - No original module exists within this kernel
- Installation
 - Installing to /lib/modules/6.6.20+rpt-rpi-v8/updates/dkms/
depmod.....
dkms status -m 8812au
8812au/5.6.4.2_35491.20191025, 6.6.20+rpt-rpi-v8, aarch64: installed

Connect the Stick (again)

[ 1239.507525] usb 1-1.2: new high-speed USB device number 6 using dwc_otg
[ 1239.608748] usb 1-1.2: New USB device found, idVendor=0bda, idProduct=8812, bcdDevice= 0.00
[ 1239.608781] usb 1-1.2: New USB device strings: Mfr=1, Product=2, SerialNumber=3
[ 1239.608797] usb 1-1.2: Product: 802.11n NIC
[ 1239.608809] usb 1-1.2: Manufacturer: Realtek
[ 1239.608820] usb 1-1.2: SerialNumber: 123456
[ 1240.283354] 88XXau: loading out-of-tree module taints kernel.
[ 1240.530118] usb 1-1.2: 88XXau 24:05:0f:f7:30:99 hw_info[d7]
[ 1240.534494] usbcore: registered new interface driver rtl88XXau

The last three lines are new.

ip addr is now showing the new interface:

4: wlan1: <NO-CARRIER,BROADCAST,MULTICAST,UP,LOWER_UP> mtu 2312 qdisc mq state DORMANT group default qlen 1000
   link/ether 24:05:0f:f7:30:99 brd ff:ff:ff:ff:ff:ff

Enable Forwarding

vi /etc/sysctl.conf

and set

net.ipv4.ip_forward=1
net.ipv6.conf.all.disable_ipv6 = 1

Explanation: Disable IPv6 (to KISS) and enable forwarding for IPv4^[1].

Tell dhcpd to ignore our devices

vi /etc/dhcpcd.conf

and set something like this:

nohook wpa_supplicant
denyinterfaces wlan0

Explanation: I omit /etc/wpa_supplicant/wpa_supplicant.conf for wlan0. It is essential that there remains only one layer3-active (meaning using IP) interface, and that is br0. Otherwise you get a routing mess. Since br0 and eth0 are not omitted (denied), they get IPAs from the DHCP-Server. That's necessary for br0, and not for eth0 (but when I omitted eth0, the bridge didn't come up. So I removed the IPA later (see below).

Setup DHCP-Forwarding

vi /etc/default/dhcp-helper

and set:

DHCPHELPER_OPTS="-b eth0"

Explanation: dhcp-helper will now forward all DHCP-related broadcasts to this interface (and none coming from there to the other interfaces).

mDNS-Forwarding

vi /etc/avahi/avahi-daemon.conf

and set:

[reflector]
enable-reflector=yes

Explanation: Enable mDNS relaying.

Check Bridge

As mentioned before, the br0-device is only tied to wlan0, so we must take care of this. You might want to do this with a script in /etc/network/if-up.d/ like (WORK-IN-PROGRESS!):
# only do it, if necessary
/sbin/brctl show | /bin/grep eth0 && exit 0
/bin/sleep 1
 
# Remove IPA from eth0
ip addr flush dev eth0

Known issues

• After br0 is set up and this appears in the log:

Feb  5 11:59:10 pi3 kernel: [   46.256296] br0: port 2(eth0) entered blocking state
Feb  5 11:59:10 pi3 kernel: [   46.256321] br0: port 2(eth0) entered disabled state
Feb  5 11:59:10 pi3 kernel: [   46.257064] device eth0 entered promiscuous mode

• DNS-lookups fail (and therefore everything else, like pings to external hosts or apt-get)
• the Pi can't be reached by ssh or any other service

Thinking out loud: br0 linkes eth0 and wlan0 on layer 2. Thus can't have an IPA. But br0 can. I hope. :-)

[SOLVED] - The reason was the IPA on eth0, which is no layer3 interface anymore. Removing the IPA did the trick.

Notes

Since you use a DHCP server and you manually set IPAs, you might want to reserve those IPAs in your DHCP-server configuration. This might become handy:

systemd-resolve --status

Displays your DNS-setup

nslookup www.wurst-wasser.net

Displays queried servers and queries (really!)

brctl showstp br0

Shows forwarding state

brctl showmacs br0

Shows all MACs displays something like arp -a does, the MACs of the machines using the bridge.

Footer

• Footnotes

Enable and Configure Access Point

vi /etc/hostapd/hostapd.conf

and set something like this:

interface=wlan1
hw_mode=g
channel=7
ieee80211n=1
wmm_enabled=1
macaddr_acl=0
auth_algs=1
ignore_broadcast_ssid=0
wpa=3
wpa_key_mgmt=WPA-PSK
wpa_pairwise=TKIP
rsn_pairwise=CCMP
ssid=HMSCamdenLock
wpa_passphrase=42_42_42_42
country_code=DE

Enable it

vi /etc/default/hostapd

…and comment this and set path:

DAEMON_CONF="/etc/hostapd/hostapd.conf"

# systemctl unmask hostapd
Removed "/etc/systemd/system/hostapd.service".
# systemctl start hostapd

Tweaks

- https://www.thingiverse.com/thing:19548